@greenarmor/ges-policy-engine
Advanced tools
| export interface CountryPrivacyPack { | ||
| code: string; | ||
| name: string; | ||
| region: "Europe" | "Asia-Pacific" | "Americas" | "Africa" | "Middle East"; | ||
| packId: string; | ||
| frameworkName: string; | ||
| lawName: string; | ||
| regulator: string; | ||
| } | ||
| export declare const PRIVACY_COUNTRIES: CountryPrivacyPack[]; | ||
| export declare function getCountryByCode(code: string): CountryPrivacyPack | undefined; | ||
| export declare function getCountryPackId(code: string): string | undefined; | ||
| export declare function getCountriesByRegion(region: CountryPrivacyPack["region"]): CountryPrivacyPack[]; |
| // ============================================================ | ||
| // COUNTRY-TO-PRIVACY-PACK MAPPING | ||
| // Maps country codes to their respective privacy compliance packs | ||
| // Used by `ges init` to auto-select the correct privacy pack | ||
| // ============================================================ | ||
| export const PRIVACY_COUNTRIES = [ | ||
| // --- Europe --- | ||
| { | ||
| code: "GB", | ||
| name: "United Kingdom", | ||
| region: "Europe", | ||
| packId: "uk-gdpr", | ||
| frameworkName: "UK-GDPR", | ||
| lawName: "UK GDPR & Data Protection Act 2018", | ||
| regulator: "ICO (Information Commissioner's Office)", | ||
| }, | ||
| { | ||
| code: "CH", | ||
| name: "Switzerland", | ||
| region: "Europe", | ||
| packId: "ch-fadp", | ||
| frameworkName: "FADP", | ||
| lawName: "Federal Act on Data Protection (revFADP 2023)", | ||
| regulator: "FDPIC (Federal Data Protection and Information Commissioner)", | ||
| }, | ||
| { | ||
| code: "EU", | ||
| name: "European Union (EEA)", | ||
| region: "Europe", | ||
| packId: "gdpr", | ||
| frameworkName: "GDPR", | ||
| lawName: "EU GDPR (Regulation 2016/679)", | ||
| regulator: "Lead Supervisory Authority (e.g., CNIL, DPC, BfDI)", | ||
| }, | ||
| // --- Asia-Pacific --- | ||
| { | ||
| code: "SG", | ||
| name: "Singapore", | ||
| region: "Asia-Pacific", | ||
| packId: "sg-pdpa", | ||
| frameworkName: "PDPA-SG", | ||
| lawName: "Personal Data Protection Act 2012 (amended 2020/2021)", | ||
| regulator: "PDPC (Personal Data Protection Commission)", | ||
| }, | ||
| { | ||
| code: "PH", | ||
| name: "Philippines", | ||
| region: "Asia-Pacific", | ||
| packId: "ph-dpa", | ||
| frameworkName: "DPA-PH", | ||
| lawName: "Data Privacy Act of 2012", | ||
| regulator: "NPC (National Privacy Commission)", | ||
| }, | ||
| { | ||
| code: "JP", | ||
| name: "Japan", | ||
| region: "Asia-Pacific", | ||
| packId: "jp-appi", | ||
| frameworkName: "APPI", | ||
| lawName: "Act on the Protection of Personal Information (APPI 2022)", | ||
| regulator: "PPC (Personal Information Protection Commission)", | ||
| }, | ||
| { | ||
| code: "KR", | ||
| name: "South Korea", | ||
| region: "Asia-Pacific", | ||
| packId: "kr-pipa", | ||
| frameworkName: "PIPA", | ||
| lawName: "Personal Information Protection Act (PIPA 2023)", | ||
| regulator: "PIPC (Personal Information Protection Commission)", | ||
| }, | ||
| { | ||
| code: "CN", | ||
| name: "China", | ||
| region: "Asia-Pacific", | ||
| packId: "cn-pipl", | ||
| frameworkName: "PIPL", | ||
| lawName: "Personal Information Protection Law (PIPL 2021)", | ||
| regulator: "CAC (Cyberspace Administration of China)", | ||
| }, | ||
| { | ||
| code: "IN", | ||
| name: "India", | ||
| region: "Asia-Pacific", | ||
| packId: "in-dpdpa", | ||
| frameworkName: "DPDPA", | ||
| lawName: "Digital Personal Data Protection Act 2023", | ||
| regulator: "Data Protection Board of India", | ||
| }, | ||
| // --- Americas --- | ||
| { | ||
| code: "BR", | ||
| name: "Brazil", | ||
| region: "Americas", | ||
| packId: "br-lgpd", | ||
| frameworkName: "LGPD", | ||
| lawName: "Lei Geral de Proteção de Dados (Law 13,709/2018)", | ||
| regulator: "ANPD (Autoridade Nacional de Proteção de Dados)", | ||
| }, | ||
| { | ||
| code: "CA", | ||
| name: "Canada", | ||
| region: "Americas", | ||
| packId: "ca-pipeda", | ||
| frameworkName: "PIPEDA", | ||
| lawName: "PIPEDA (S.C. 2000, c. 5)", | ||
| regulator: "OPC (Office of the Privacy Commissioner)", | ||
| }, | ||
| { | ||
| code: "US-CA", | ||
| name: "United States (California)", | ||
| region: "Americas", | ||
| packId: "us-cpra", | ||
| frameworkName: "CPRA", | ||
| lawName: "CCPA as amended by CPRA (2020)", | ||
| regulator: "CPPA (California Privacy Protection Agency)", | ||
| }, | ||
| // --- Africa --- | ||
| { | ||
| code: "ZA", | ||
| name: "South Africa", | ||
| region: "Africa", | ||
| packId: "za-popia", | ||
| frameworkName: "POPIA", | ||
| lawName: "Protection of Personal Information Act (Act 4 of 2013)", | ||
| regulator: "Information Regulator", | ||
| }, | ||
| // --- Middle East --- | ||
| { | ||
| code: "AE", | ||
| name: "United Arab Emirates", | ||
| region: "Middle East", | ||
| packId: "ae-pdpl", | ||
| frameworkName: "PDPL-UAE", | ||
| lawName: "Federal Decree-Law No. 45 of 2021", | ||
| regulator: "UAE Data Office", | ||
| }, | ||
| { | ||
| code: "SA", | ||
| name: "Saudi Arabia", | ||
| region: "Middle East", | ||
| packId: "sa-pdpl", | ||
| frameworkName: "PDPL-SA", | ||
| lawName: "Personal Data Protection Law (Royal Decree M/19, amended M/148/2023)", | ||
| regulator: "NDMO (National Data Management Office / SDAIA)", | ||
| }, | ||
| ]; | ||
| export function getCountryByCode(code) { | ||
| return PRIVACY_COUNTRIES.find(c => c.code.toUpperCase() === code.toUpperCase()); | ||
| } | ||
| export function getCountryPackId(code) { | ||
| return getCountryByCode(code)?.packId; | ||
| } | ||
| export function getCountriesByRegion(region) { | ||
| return PRIVACY_COUNTRIES.filter(c => c.region === region); | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createSouthAfricaPOPIAPolicyPack(): PolicyPack; | ||
| export declare function createUAEPDPLPolicyPack(): PolicyPack; | ||
| export declare function createSaudiArabiaPDPLPolicyPack(): PolicyPack; |
| // ============================================================ | ||
| // SOUTH AFRICA — POPIA (Protection of Personal Information Act, 2013, Act No. 4 of 2013) | ||
| // Regulator: Information Regulator (established under POPIA) | ||
| // In effect: July 1, 2020 (fully enforced from July 1, 2021) | ||
| // ============================================================ | ||
| export function createSouthAfricaPOPIAPolicyPack() { | ||
| const controls = [ | ||
| // --- Information Officer & Governance --- | ||
| { | ||
| id: "POPIA-01", | ||
| name: "Information Officer Designation", | ||
| description: "Designate an Information Officer and register their details with the Information Regulator.", | ||
| category: "privacy-governance", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Designate the head of the organization as the Information Officer (IO). Register the IO's contact details with the Information Regulator. Ensure the IO's contact details are available on the organization's website and in official documentation. The IO is responsible for: encouraging compliance, dealing with information requests, cooperating with the Regulator, and ensuring compliance audits. Deputy IOs may be designated for specific business units. [Ref: POPIA Section 17; Information Regulator Guidelines on IO Designation]", | ||
| checks: [ | ||
| { id: "POPIA-01-C1", description: "Information Officer designated and registered with Regulator", status: "not-implemented" }, | ||
| { id: "POPIA-01-C2", description: "IO contact details published on website", status: "not-implemented" }, | ||
| { id: "POPIA-01-C3", description: "Deputy IOs designated if needed", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Processing Conditions --- | ||
| { | ||
| id: "POPIA-02", | ||
| name: "Lawfulness of Processing (Section 10)", | ||
| description: "Process personal information lawfully and only if specific conditions are met.", | ||
| category: "consent-management", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Process PI only if: (1) the data subject/competent person consents, (2) necessary for contract performance, (3) compliance with legal obligation, (4) protects a legitimate interest, (5) necessary for public law duty, (6) performed by public body, or (7) the information is public. Consent must be voluntary, specific, informed, and unambiguous. [Ref: POPIA Sections 10-11]", | ||
| checks: [ | ||
| { id: "POPIA-02-C1", description: "Processing basis documented per processing activity", status: "not-implemented" }, | ||
| { id: "POPIA-02-C2", description: "Consent obtained (voluntary, specific, informed, unambiguous)", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "POPIA-03", | ||
| name: "Purpose Specification and Retention", | ||
| description: "Limit processing to specified purposes and delete/deidentify data when purpose is achieved.", | ||
| category: "data-retention", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Do not process PI for purposes incompatible with the purpose for which it was obtained. Retain PI no longer than necessary to achieve the purpose. Destroy or deidentify records once the responsible party is no longer authorized to retain them, unless retention is required by law or contract. Record the destruction. Retain personal information only for historical, statistical, or research purposes with adequate safeguards. [Ref: POPIA Section 14; Sections 18-19]", | ||
| checks: [ | ||
| { id: "POPIA-03-C1", description: "Purpose compatibility assessed for each processing", status: "not-implemented" }, | ||
| { id: "POPIA-03-C2", description: "Retention periods defined and documented", status: "not-implemented" }, | ||
| { id: "POPIA-03-C3", description: "Deletion/deidentification records maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "POPIA-04", | ||
| name: "Further Processing Limitation", | ||
| description: "Ensure further processing of personal information is compatible with the original collection purpose.", | ||
| category: "data-inventory", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Further processing is compatible if: it is connected to the original purpose, consent has been obtained, the data has been made public, the processing is necessary for compliance, or it protects legitimate interests. Conduct compatibility assessments considering: the purpose of the intended further processing, the nature of the information, the consequences for the data subject, and contractual or other rights. [Ref: POPIA Section 15]", | ||
| checks: [ | ||
| { id: "POPIA-04-C1", description: "Compatibility assessment conducted for further processing", status: "not-implemented" }, | ||
| { id: "POPIA-04-C2", description: "Further processing register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Information Quality & Security --- | ||
| { | ||
| id: "POPIA-05", | ||
| name: "Information Quality (Section 16)", | ||
| description: "Take reasonably practicable steps to ensure personal information is complete, accurate, and not misleading.", | ||
| category: "data-inventory", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Ensure data quality at collection and before use. Verify data against reliable sources. Provide correction mechanisms for data subjects. Document data quality control processes. Consider the purpose of processing when assessing quality requirements. [Ref: POPIA Section 16]", | ||
| checks: [ | ||
| { id: "POPIA-05-C1", description: "Data quality verification procedures implemented", status: "not-implemented" }, | ||
| { id: "POPIA-05-C2", description: "Correction mechanism available for data subjects", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "POPIA-06", | ||
| name: "Security Safeguards (Section 19)", | ||
| description: "Implement appropriate, reasonable technical and organizational security measures to secure personal information.", | ||
| category: "security-controls", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Identify all reasonably foreseeable internal and external risks. Establish and maintain appropriate safeguards against identified risks. Regularly verify that safeguards are effectively implemented and updated. Safeguards must address: data loss, damage, unauthorized access, and unauthorized destruction. Safeguards include: access controls, encryption, firewalls, security software, physical access control, and incident response. [Ref: POPIA Section 19; Information Regulator Security Guidance]", | ||
| checks: [ | ||
| { id: "POPIA-06-C1", description: "Risk assessment conducted for identified risks", status: "not-implemented" }, | ||
| { id: "POPIA-06-C2", description: "Safeguards implemented and regularly verified", status: "not-implemented" }, | ||
| { id: "POPIA-06-C3", description: "Encryption and access controls in place", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Data Subject Rights --- | ||
| { | ||
| id: "POPIA-07", | ||
| name: "Data Subject Rights (Section 23-25)", | ||
| description: "Implement data subject rights: notification, access, correction, objection, and destruction.", | ||
| category: "data-subject-rights", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement rights: (1) right to be notified when PI is collected, (2) right to establish whether the responsible party holds PI, (3) right to request correction/destruction of PI, (4) right to object to processing on reasonable grounds. Respond to requests within a reasonable time (generally within 30 days). Charge no fee for the initial request. Maintain documentation of requests and responses. [Ref: POPIA Sections 23-25]", | ||
| checks: [ | ||
| { id: "POPIA-07-C1", description: "All POPIA data subject rights implemented", status: "not-implemented" }, | ||
| { id: "POPIA-07-C2", description: "Requests responded to within reasonable time", status: "not-implemented" }, | ||
| { id: "POPIA-07-C3", description: "Request documentation maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Breach Notification --- | ||
| { | ||
| id: "POPIA-08", | ||
| name: "Compromise Notification (Section 22)", | ||
| description: "Notify the Information Regulator and affected data subjects of security compromises.", | ||
| category: "incident-management", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "When there are reasonable grounds to believe PI has been accessed or acquired by unauthorized persons, notify: (1) the Information Regulator, and (2) affected data subjects (unless exceptions apply). Notification must include: possible identity of unauthorized person, date of compromise, PI potentially compromised, possible harm, and steps taken/being taken. The Regulator may direct the responsible party to notify or publish notification if it hasn't been done. Maintain a compromise register. [Ref: POPIA Section 22; Information Regulator Breach Notification Regulations]", | ||
| checks: [ | ||
| { id: "POPIA-08-C1", description: "Regulator notification procedure for compromises", status: "not-implemented" }, | ||
| { id: "POPIA-08-C2", description: "Individual notification with required details", status: "not-implemented" }, | ||
| { id: "POPIA-08-C3", description: "Compromise register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "za-popia", | ||
| name: "South Africa POPIA Pack (Act 4 of 2013)", | ||
| description: "Comprehensive South African POPIA controls: Information Officer designation (Sec. 17), lawful processing conditions (Sec. 10-11), purpose specification and retention (Sec. 14/18-19), further processing limitation (Sec. 15), information quality (Sec. 16), security safeguards (Sec. 19), data subject rights (Sec. 23-25), and compromise notification (Sec. 22).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["POPIA"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // UAE — PDPL (Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data) | ||
| // Regulator: UAE Data Office (established under Federal Law by decree) | ||
| // Implementing Regulation: Cabinet Decision No. 93 of 2021 | ||
| // ============================================================ | ||
| export function createUAEPDPLPolicyPack() { | ||
| const controls = [ | ||
| // --- Data Protection Officer --- | ||
| { | ||
| id: "PDPL-UAE-01", | ||
| name: "Data Protection Officer (UAE)", | ||
| description: "Appoint a Data Protection Officer for processing that requires systematic monitoring or large-scale sensitive data.", | ||
| category: "privacy-governance", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Appoint a DPO when processing involves: large-scale processing of sensitive personal data, systematic monitoring of data subjects on a large scale, or cases specified by the UAE Data Office. The DPO must: advise on PDPL compliance, cooperate with the UAE Data Office, and act as contact point. Publish DPO contact details. Ensure DPO independence and no conflict of interest. [Ref: PDPL Article 10-11; Cabinet Decision No. 93/2021]", | ||
| checks: [ | ||
| { id: "PDPL-UAE-01-C1", description: "DPO appointed where required", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-01-C2", description: "DPO contact details published", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-01-C3", description: "DPO independence ensured", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Consent & Legal Basis --- | ||
| { | ||
| id: "PDPL-UAE-02", | ||
| name: "Consent and Legal Basis (UAE)", | ||
| description: "Obtain clear, unambiguous consent or identify alternative legal basis for processing.", | ||
| category: "consent-management", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Obtain clear and unambiguous consent for processing. Alternatively, process based on: contract performance, legal obligation, vital interests, public interest, legitimate interests assessed against data subject rights, or other lawful bases specified in the law. For sensitive personal data (health, biometric, racial, religious, criminal), obtain explicit consent unless an exception applies. Consent must be free, specific, informed, and unambiguous. [Ref: PDPL Articles 4-5, 7-9]", | ||
| checks: [ | ||
| { id: "PDPL-UAE-02-C1", description: "Clear, unambiguous consent obtained per purpose", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-02-C2", description: "Explicit consent for sensitive data", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-02-C3", description: "Legal basis documented per processing activity", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Privacy Notice --- | ||
| { | ||
| id: "PDPL-UAE-03", | ||
| name: "Privacy Notice and Transparency", | ||
| description: "Provide clear privacy notices at the time of collection with all PDPL-required information.", | ||
| category: "privacy-governance", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Provide a privacy notice including: controller identity and contact details, DPO contact, processing purposes, legal basis, data categories, recipients, cross-border transfers, retention period, data subject rights, and complaint mechanisms. Present in clear and understandable language (Arabic and/or English as appropriate). Make the notice available at or before collection. Update when processing purposes change. [Ref: PDPL Article 6]", | ||
| checks: [ | ||
| { id: "PDPL-UAE-03-C1", description: "Privacy notice includes all PDPL-required items", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-03-C2", description: "Notice provided at or before collection", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-03-C3", description: "Notice in appropriate language(s)", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Personal Data Protection Impact Assessment --- | ||
| { | ||
| id: "PDPL-UAE-04", | ||
| name: "Personal Data Protection Impact Assessment", | ||
| description: "Conduct DPIAs for processing activities that may pose high risks to data subjects.", | ||
| category: "privacy-governance", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Conduct a DPIA before processing that may result in a high risk to data subject rights, particularly when using new technologies. The DPIA must include: systematic description of processing, necessity and proportionality assessment, risk identification and assessment, and mitigation measures. Consult the DPO. Submit DPIA results to the UAE Data Office when requested. For Mainland UAE, specific DPIA requirements apply under Cabinet Decision No. 93/2021. [Ref: PDPL Article 20-21; Cabinet Decision No. 93/2021]", | ||
| checks: [ | ||
| { id: "PDPL-UAE-04-C1", description: "DPIA criteria for high-risk processing established", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-04-C2", description: "DPIAs conducted with required documentation", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-04-C3", description: "Results submitted to UAE Data Office when required", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Cross-Border Data Transfers --- | ||
| { | ||
| id: "PDPL-UAE-05", | ||
| name: "Cross-Border Data Transfer (UAE)", | ||
| description: "Ensure personal data transferred outside the UAE receives an adequate level of protection.", | ||
| category: "cross-border-transfers", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Transfer personal data outside the UAE only when: the destination country provides adequate protection (UAE Data Office adequacy decision), appropriate safeguards are in place (SCCs, BCRs), or specific exceptions apply (explicit consent, contract performance, public interest). Assess destination country's legal framework. Use UAE Data Office-approved transfer mechanisms. Maintain transfer documentation. Special rules apply to transfers within UAE Free Zones (DIFC, ADGM) which have their own data protection regimes. [Ref: PDPL Article 22-25; Cabinet Decision No. 93/2021]", | ||
| checks: [ | ||
| { id: "PDPL-UAE-05-C1", description: "Adequacy assessment conducted per destination country", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-05-C2", description: "SCCs or BCRs for non-adequate transfers", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-05-C3", description: "Free Zone (DIFC/ADGM) rules assessed if applicable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Breach Notification & Security --- | ||
| { | ||
| id: "PDPL-UAE-06", | ||
| name: "Breach Notification and Security (UAE)", | ||
| description: "Implement security measures and notify the UAE Data Office of personal data breaches.", | ||
| category: "incident-management", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement appropriate technical and organizational measures to protect personal data. When a personal data breach occurs, notify the UAE Data Office as soon as possible and within the timeframe specified by regulation. If the breach poses high risk to data subjects, notify them without undue delay. The notification must include: nature of the breach, affected data categories, approximate number of affected individuals, measures taken, and contact details for further information. Maintain an internal breach register. [Ref: PDPL Article 15, 33-34; Cabinet Decision No. 93/2021]", | ||
| checks: [ | ||
| { id: "PDPL-UAE-06-C1", description: "Security measures documented and implemented", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-06-C2", description: "UAE Data Office notification procedure established", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-06-C3", description: "Individual notification for high-risk breaches", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ae-pdpl", | ||
| name: "UAE PDPL Pack (Federal Decree-Law No. 45 of 2021)", | ||
| description: "Comprehensive UAE personal data protection controls: DPO appointment (Art. 10-11), consent and legal basis (Art. 4-9), privacy notice requirements (Art. 6), DPIA for high-risk processing (Art. 20-21), cross-border transfers with Free Zone awareness (Art. 22-25), and breach notification with security measures (Art. 15/33-34).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PDPL-UAE"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // SAUDI ARABIA — PDPL (Personal Data Protection Law, Royal Decree No. M/19) | ||
| // As amended September 2023 (Amending Law No. M/148) | ||
| // Regulator: National Data Management Office (NDMO) / SDAIA | ||
| // Fully in effect: September 14, 2023 | ||
| // ============================================================ | ||
| export function createSaudiArabiaPDPLPolicyPack() { | ||
| const controls = [ | ||
| // --- Consent & Legal Basis --- | ||
| { | ||
| id: "PDPL-SA-01", | ||
| name: "Consent and Legal Basis", | ||
| description: "Obtain valid consent or identify alternative legal basis for processing personal data under the PDPL.", | ||
| category: "consent-management", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Obtain consent that is: specific, informed, and unambiguous, indicating the data subject's clear will. Alternatively, process based on: contract performance, legal obligation, vital interests, public task, legitimate interests (assessed against data subject rights and freedoms). For sensitive data (health, genetic, racial, ethnic, religious, biometric, criminal), obtain explicit consent unless an exception applies. Consent must be documented. [Ref: PDPL Articles 5-6, 9; Amending Law M/148/2023]", | ||
| checks: [ | ||
| { id: "PDPL-SA-01-C1", description: "Specific, informed, unambiguous consent obtained", status: "not-implemented" }, | ||
| { id: "PDPL-SA-01-C2", description: "Explicit consent for sensitive data", status: "not-implemented" }, | ||
| { id: "PDPL-SA-01-C3", description: "Legal basis documented per processing activity", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Privacy Notice --- | ||
| { | ||
| id: "PDPL-SA-02", | ||
| name: "Privacy Notice (Arabic Language)", | ||
| description: "Provide clear privacy notices in Arabic with all PDPL-required disclosures.", | ||
| category: "privacy-governance", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Provide a privacy notice including: controller identity, contact details, processing purposes, legal basis, data categories, recipients, retention period, cross-border transfers, data subject rights (amendment, withdrawal of consent, destruction), and complaint mechanisms. The notice must be in clear Arabic language. Present before or at the time of collection. Update when processing purposes change. [Ref: PDPL Article 8; Amending Law M/148/2023]", | ||
| checks: [ | ||
| { id: "PDPL-SA-02-C1", description: "Privacy notice in Arabic with all required items", status: "not-implemented" }, | ||
| { id: "PDPL-SA-02-C2", description: "Notice provided before/at collection", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Data Subject Rights --- | ||
| { | ||
| id: "PDPL-SA-03", | ||
| name: "Data Subject Rights", | ||
| description: "Implement data subject rights including access, correction, destruction, and objection.", | ||
| category: "data-subject-rights", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement rights: (1) right to be informed of processing, (2) right to access personal data and related information, (3) right to correct/update incomplete or inaccurate data, (4) right to destruction of data processed in violation, (5) right to withdraw consent, (6) right to lodge a complaint. Respond to requests within a reasonable period. Enable rights through accessible means (including the organization's website or app). [Ref: PDPL Articles 16-18; Amending Law M/148/2023]", | ||
| checks: [ | ||
| { id: "PDPL-SA-03-C1", description: "All PDPL rights implemented and accessible", status: "not-implemented" }, | ||
| { id: "PDPL-SA-03-C2", description: "Requests processed within reasonable period", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Data Localization & Cross-Border Transfer --- | ||
| { | ||
| id: "PDPL-SA-04", | ||
| name: "Data Localization and Cross-Border Transfer", | ||
| description: "Comply with Saudi data localization requirements and cross-border transfer regulations.", | ||
| category: "cross-border-transfers", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "The amended PDPL requires that personal data be processed in Saudi Arabia. Cross-border transfer is permitted only when: the destination provides an adequate level of protection (per NDMO assessment), appropriate safeguards are in place (SCCs, BCRs approved by NDMO), or specific exceptions apply (explicit consent, contract performance, public interest). Assess the legal framework of the destination country. Maintain a transfer register. Obtain NDMO approval where required for specific transfers. Monitor NDMO transfer regulations and guidelines. [Ref: PDPL Article 29; Amending Law M/148/2023; NDMO Transfer Regulations]", | ||
| checks: [ | ||
| { id: "PDPL-SA-04-C1", description: "Data localization requirement assessed and implemented", status: "not-implemented" }, | ||
| { id: "PDPL-SA-04-C2", description: "NDMO adequacy assessment for destination countries", status: "not-implemented" }, | ||
| { id: "PDPL-SA-04-C3", description: "SCCs/BCRs approved by NDMO for non-adequate transfers", status: "not-implemented" }, | ||
| { id: "PDPL-SA-04-C4", description: "Transfer register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Security & Breach Notification --- | ||
| { | ||
| id: "PDPL-SA-05", | ||
| name: "Security Measures and Breach Notification", | ||
| description: "Implement appropriate security safeguards and notify NDMO and affected individuals of data breaches.", | ||
| category: "incident-management", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement appropriate technical and organizational measures to protect personal data considering: the nature of data, processing methods, and risk levels. Notify NDMO of any personal data breach within 72 hours of becoming aware of it (or immediately if high risk). If the breach poses a high risk to data subjects, notify them without undue delay. The notification must include: nature of breach, affected data categories, number of affected individuals, potential consequences, and measures taken. Maintain a breach register. [Ref: PDPL Articles 20, 30; Amending Law M/148/2023; NDMO Breach Regulations]", | ||
| checks: [ | ||
| { id: "PDPL-SA-05-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" }, | ||
| { id: "PDPL-SA-05-C2", description: "NDMO notification within 72 hours", status: "not-implemented" }, | ||
| { id: "PDPL-SA-05-C3", description: "Individual notification for high-risk breaches", status: "not-implemented" }, | ||
| { id: "PDPL-SA-05-C4", description: "Breach register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- NDMO Registration & Oversight --- | ||
| { | ||
| id: "PDPL-SA-06", | ||
| name: "NDMO Registration and Compliance", | ||
| description: "Register with NDMO as required and comply with NDMO oversight obligations.", | ||
| category: "privacy-governance", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Register with the National Data Management Office (NDMO) when required by regulation. Appoint a Data Protection Officer to liaise with NDMO. Maintain records of processing activities. Cooperate with NDMO audits and investigations. Implement NDMO-issued guidelines and policies. Submit annual compliance reports if required. For government entities, comply with NDMO National Data Governance policies. [Ref: PDPL Article 40; Amending Law M/148/2023; NDMO National Data Governance Interim Regulations]", | ||
| checks: [ | ||
| { id: "PDPL-SA-06-C1", description: "NDMO registration completed where required", status: "not-implemented" }, | ||
| { id: "PDPL-SA-06-C2", description: "Processing records maintained for NDMO oversight", status: "not-implemented" }, | ||
| { id: "PDPL-SA-06-C3", description: "NDMO guidelines and policies implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "sa-pdpl", | ||
| name: "Saudi Arabia PDPL Pack (Royal Decree M/19 as amended M/148/2023)", | ||
| description: "Comprehensive Saudi PDPL controls: consent and legal basis (Art. 5-9), Arabic privacy notice (Art. 8), data subject rights (Art. 16-18), data localization and cross-border transfer with NDMO approval (Art. 29), 72-hour breach notification (Art. 30), and NDMO registration and oversight (Art. 40).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PDPL-SA"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createBrazilLGPDPolicyPack(): PolicyPack; | ||
| export declare function createCanadaPIPEDAPolicyPack(): PolicyPack; | ||
| export declare function createCaliforniaCRPAPolicyPack(): PolicyPack; |
| // ============================================================ | ||
| // BRAZIL — LGPD (Lei Geral de Proteção de Dados, Law No. 13,709/2018) | ||
| // Regulator: ANPD (Autoridade Nacional de Proteção de Dados) | ||
| // In effect: September 18, 2020 (sanctions from August 1, 2021) | ||
| // ============================================================ | ||
| export function createBrazilLGPDPolicyPack() { | ||
| const controls = [ | ||
| // --- Governance & Accountability --- | ||
| { | ||
| id: "LGPD-01", | ||
| name: "Encarregado (DPO) Appointment", | ||
| description: "Appoint an Encarregado (Data Protection Officer) and publish their contact information per ANPD guidance.", | ||
| category: "privacy-governance", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Appoint an Encarregado de Proteção de Dados (DPO) who is responsible for: accepting complaints, communicating with ANPD, guiding employees/contractors on LGPD compliance, and executing other ANPD-defined duties. Publish the Encarregado's identity and contact details on the organization's website or other accessible medium. The Encarregado must be a person of integrity and independence. Small entities may be exempted by ANPD regulation. [Ref: LGPD Article 41; ANPD Resolution CD/ANPD No. 5/2022]", | ||
| checks: [ | ||
| { id: "LGPD-01-C1", description: "Encarregado appointed with defined responsibilities", status: "not-implemented" }, | ||
| { id: "LGPD-01-C2", description: "Contact information published and accessible", status: "not-implemented" }, | ||
| { id: "LGPD-01-C3", description: "ANPD exemption assessment documented if applicable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LGPD-02", | ||
| name: "Records of Processing Activities", | ||
| description: "Maintain a Record of Personal Data Processing Operations as required by LGPD Article 37.", | ||
| category: "data-inventory", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Maintain a Record of Personal Data Processing Operations (ROPD) documenting: controller/processor/Encarregado details, categories of data subjects, personal data categories, purposes, data sharing, international transfers, retention, and security measures. Small entities are exempt unless processing is high-risk under ANPD criteria. [Ref: LGPD Article 37; ANPD Simplified Records Resolution]", | ||
| checks: [ | ||
| { id: "LGPD-02-C1", description: "ROPD maintained with all Article 37 required fields", status: "not-implemented" }, | ||
| { id: "LGPD-02-C2", description: "Records updated when processing activities change", status: "not-implemented" }, | ||
| { id: "LGPD-02-C3", description: "Exemption assessment documented for small entities", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Legal Bases & Consent --- | ||
| { | ||
| id: "LGPD-03", | ||
| name: "Legal Basis for Processing", | ||
| description: "Identify and document one of the ten LGPD legal bases for each processing activity.", | ||
| category: "consent-management", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Document the applicable legal basis for each processing activity. The ten bases are: (1) consent, (2) compliance with legal/regulatory duty, (3) public administration policy execution, (4) studies by research entities, (5) contract performance, (6) regular exercise of rights, (7) protection of life/physical safety, (8) protection of health by health professionals/services, (9) legitimate interests, (10) credit protection. When relying on legitimate interests, conduct a balancing test. [Ref: LGPD Article 7]", | ||
| checks: [ | ||
| { id: "LGPD-03-C1", description: "Legal basis documented per processing activity", status: "not-implemented" }, | ||
| { id: "LGPD-03-C2", description: "Legitimate interest balancing test conducted where applicable", status: "not-implemented" }, | ||
| { id: "LGPD-03-C3", description: "Legal basis communicated in privacy notice", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LGPD-04", | ||
| name: "Consent Management (LGPD)", | ||
| description: "Obtain free, informed, and unambiguous consent that is specific for each purpose.", | ||
| category: "consent-management", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Consent must be: free, informed, unambiguous, expressed in writing or by other means demonstrating the holder's will. Must be specific for each purpose (no bundled consent). Consent for sensitive personal data must be in writing or by separate means, unless an exception applies. Children and adolescents' data requires specific consent from at least one parent or legal guardian (best interest of the child principle). Provide easy withdrawal mechanism at no cost. [Ref: LGPD Articles 8, 11, 14]", | ||
| checks: [ | ||
| { id: "LGPD-04-C1", description: "Consent obtained per specific purpose (no bundling)", status: "not-implemented" }, | ||
| { id: "LGPD-04-C2", description: "Written/separate consent for sensitive data", status: "not-implemented" }, | ||
| { id: "LGPD-04-C3", description: "Guardian consent for minors (best interest principle)", status: "not-implemented" }, | ||
| { id: "LGPD-04-C4", description: "Easy, free consent withdrawal mechanism", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Data Subject Rights --- | ||
| { | ||
| id: "LGPD-05", | ||
| name: "Holder Rights (Article 18)", | ||
| description: "Implement all data holder rights with response within 15 days of request.", | ||
| category: "data-subject-rights", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement rights: (1) confirmation of processing, (2) access to data, (3) correction of incomplete/inaccurate data, (4) anonymization/blocking/deletion of unnecessary/excessive/processed in non-compliance, (5) portability to another service/product provider, (6) deletion of personal data processed with consent, (7) information about data sharing, (8) information about possibility to deny consent and consequences. Respond within 15 days of the request. Facilitate rights via an easy, free mechanism. [Ref: LGPD Article 18]", | ||
| checks: [ | ||
| { id: "LGPD-05-C1", description: "All Article 18 rights implemented and accessible", status: "not-implemented" }, | ||
| { id: "LGPD-05-C2", description: "Response within 15 days of request", status: "not-implemented" }, | ||
| { id: "LGPD-05-C3", description: "Free mechanism for exercising rights", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Security & DPIA --- | ||
| { | ||
| id: "LGPD-06", | ||
| name: "Security of Personal Data", | ||
| description: "Implement appropriate technical and organizational security measures per LGPD Article 46.", | ||
| category: "security-controls", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement security measures appropriate to the nature of the personal data and considering: the current state of technology, the specific characteristics of processing, and the potential risks. Measures should include: access controls, encryption, network security, authentication, backup, and incident response. Periodically review and update measures. Follow ANPD security guidance when published. [Ref: LGPD Article 46]", | ||
| checks: [ | ||
| { id: "LGPD-06-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" }, | ||
| { id: "LGPD-06-C2", description: "Encryption and access controls implemented", status: "not-implemented" }, | ||
| { id: "LGPD-06-C3", description: "Security measures reviewed and updated periodically", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LGPD-07", | ||
| name: "Data Protection Impact Assessment (DPIA-LGPD)", | ||
| description: "Conduct a Data Protection Impact Assessment for processing based on legitimate interests or high-risk activities.", | ||
| category: "privacy-governance", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Conduct a DPIA for processing activities that may generate public risk, based on ANPD criteria. The DPIA must document: processing description, legitimacy assessments, risk analysis, and mitigation measures. Consult the Encarregado. The DPIA must be kept under confidentiality. Submit to ANPD when requested or when the processing poses high risk. [Ref: LGPD Article 38; ANPD DPIA Guidance]", | ||
| checks: [ | ||
| { id: "LGPD-07-C1", description: "DPIA criteria established based on ANPD guidance", status: "not-implemented" }, | ||
| { id: "LGPD-07-C2", description: "DPIAs conducted for high-risk processing", status: "not-implemented" }, | ||
| { id: "LGPD-07-C3", description: "DPIA records maintained under confidentiality", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Breach Notification --- | ||
| { | ||
| id: "LGPD-08", | ||
| name: "ANPD Breach Notification", | ||
| description: "Notify ANPD and affected data subjects of security incidents that may cause risk or harm.", | ||
| category: "incident-management", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Notify ANPD within a reasonable timeframe of a security incident that may cause risk or relevant harm to data subjects. The ANPD notification must include: nature of data, description of the incident, affected data subjects, technical/security measures adopted, risks involved, and reasons for delay (if any). Notify affected data subjects unless the risk has been mitigated (e.g., encryption). Maintain an internal incident register. [Ref: LGPD Article 48; ANPD Resolution CD/ANPD No. 15/2024]", | ||
| checks: [ | ||
| { id: "LGPD-08-C1", description: "ANPD notification procedure established", status: "not-implemented" }, | ||
| { id: "LGPD-08-C2", description: "Affected data subjects notified when risk/harm exists", status: "not-implemented" }, | ||
| { id: "LGPD-08-C3", description: "Incident register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- International Transfers --- | ||
| { | ||
| id: "LGPD-09", | ||
| name: "International Data Transfer (LGPD)", | ||
| description: "Ensure international transfers of personal data comply with LGPD Articles 33-36.", | ||
| category: "cross-border-transfers", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Transfer personal data to foreign countries only when: the destination country provides adequate level of protection (ANPD adequacy decision), the controller guarantees and demonstrates compliance (SCCs), international cooperation instruments exist, or the controller proves effective compliance with principles and rights. ANPD may establish specific contractual clauses (CCs). When a transfer basis is contested, the burden of proof is on the controller. [Ref: LGPD Articles 33-36; ANPD International Transfer Regulations]", | ||
| checks: [ | ||
| { id: "LGPD-09-C1", description: "Transfer register maintained with basis per transfer", status: "not-implemented" }, | ||
| { id: "LGPD-09-C2", description: "ANPD SCCs or adequacy for each international transfer", status: "not-implemented" }, | ||
| { id: "LGPD-09-C3", description: "ANPD adequacy decisions monitored", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Processor Management --- | ||
| { | ||
| id: "LGPD-10", | ||
| name: "Operator (Processor) Contracts", | ||
| description: "Execute LGPD-compliant contracts with all operators (processors).", | ||
| category: "vendor-management", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Execute written contracts with operators (processors) covering: processing purposes, nature and scope, duration, data categories, data subject rights, security measures, confidentiality, sub-processor controls, data return/deletion upon termination, and audit rights. Operators must process only on documented instructions. Operators are jointly liable for damages caused by processing that deviates from instructions. [Ref: LGPD Article 39]", | ||
| checks: [ | ||
| { id: "LGPD-10-C1", description: "Article 39 contracts executed with all operators", status: "not-implemented" }, | ||
| { id: "LGPD-10-C2", description: "Sub-processor flow-down terms included", status: "not-implemented" }, | ||
| { id: "LGPD-10-C3", description: "Data return/deletion upon termination guaranteed", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "br-lgpd", | ||
| name: "Brazil LGPD Pack (Law 13,709/2018)", | ||
| description: "Comprehensive Brazilian LGPD controls: Encarregado appointment (Art. 41), ROPD (Art. 37), ten legal bases (Art. 7), consent management (Art. 8/11/14), holder rights with 15-day response (Art. 18), security (Art. 46), DPIA (Art. 38), ANPD breach notification (Art. 48), international transfers (Art. 33-36), and operator contracts (Art. 39).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["LGPD"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // CANADA — PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) | ||
| // Regulator: Office of the Privacy Commissioner of Canada (OPC) | ||
| // Breach provisions: PIPEDA Section 10.1 (in force Nov 1, 2018) | ||
| // ============================================================ | ||
| export function createCanadaPIPEDAPolicyPack() { | ||
| const controls = [ | ||
| // --- Accountability Principle --- | ||
| { | ||
| id: "PIPEDA-01", | ||
| name: "Accountability (Principle 1)", | ||
| description: "Designate a Privacy Officer responsible for compliance and implement accountability policies.", | ||
| category: "privacy-governance", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Designate an individual (Privacy Officer) accountable for PIPEDA compliance. The organization is responsible for personal information under its control, including information transferred to third parties for processing. Implement policies and practices to comply with PIPEDA. Make the Privacy Officer's identity and contact information available upon request. [Ref: PIPEDA Schedule 1, Principle 4.1]", | ||
| checks: [ | ||
| { id: "PIPEDA-01-C1", description: "Privacy Officer designated and documented", status: "not-implemented" }, | ||
| { id: "PIPEDA-01-C2", description: "Accountability policies implemented", status: "not-implemented" }, | ||
| { id: "PIPEDA-01-C3", description: "Privacy Officer contact available upon request", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Identifying Purposes --- | ||
| { | ||
| id: "PIPEDA-02", | ||
| name: "Identifying Purposes (Principle 2)", | ||
| description: "Document and communicate the purposes for personal information collection before or at the time of collection.", | ||
| category: "consent-management", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Identify and document purposes for which personal information is collected. Communicate purposes to the individual before or at the time of collection. For secondary use, identify the new purpose and obtain consent. Purposes should be limited to what a reasonable person would consider appropriate. [Ref: PIPEDA Schedule 1, Principle 4.2; PIPEDA Section 5]", | ||
| checks: [ | ||
| { id: "PIPEDA-02-C1", description: "Purposes documented before/at collection", status: "not-implemented" }, | ||
| { id: "PIPEDA-02-C2", description: "New consent obtained for secondary purposes", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Consent --- | ||
| { | ||
| id: "PIPEDA-03", | ||
| name: "Consent (Principle 3)", | ||
| description: "Obtain meaningful knowledge and consent for collection, use, or disclosure of personal information.", | ||
| category: "consent-management", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Obtain consent that is appropriate for the circumstances. Consent can be express or implied. Require express consent for sensitive information. Do not make consent a condition of providing a service beyond what is necessary. Provide means to withdraw consent, subject to legal/contractual restrictions. For minors, obtain consent from a parent/guardian. Consider the 'appropriate purposes' test under PIPEDA Section 5(3). [Ref: PIPEDA Schedule 1, Principle 4.3; PIPEDA Section 6.1]", | ||
| checks: [ | ||
| { id: "PIPEDA-03-C1", description: "Consent obtained appropriate to circumstances", status: "not-implemented" }, | ||
| { id: "PIPEDA-03-C2", description: "Express consent for sensitive data", status: "not-implemented" }, | ||
| { id: "PIPEDA-03-C3", description: "Consent withdrawal mechanism available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Limiting Collection --- | ||
| { | ||
| id: "PIPEDA-04", | ||
| name: "Limiting Collection (Principle 4)", | ||
| description: "Limit collection of personal information to what is necessary for identified purposes.", | ||
| category: "data-inventory", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Collect personal information only by fair and lawful means. Do not collect information that is unnecessary for the identified purposes. Document data minimization practices. Avoid deceptive or misleading collection practices. Regularly review collection forms and processes for necessity. [Ref: PIPEDA Schedule 1, Principle 4.4]", | ||
| checks: [ | ||
| { id: "PIPEDA-04-C1", description: "Collection limited to identified purposes", status: "not-implemented" }, | ||
| { id: "PIPEDA-04-C2", description: "Collection methods are fair and lawful", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Limiting Use, Disclosure, and Retention --- | ||
| { | ||
| id: "PIPEDA-05", | ||
| name: "Limiting Use, Disclosure, Retention (Principle 5)", | ||
| description: "Do not use or disclose personal information for new purposes without consent. Retain only as long as necessary.", | ||
| category: "data-retention", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use and disclose personal information only for the purpose it was collected, unless consent is obtained or required by law. Retain personal information only as long as necessary for the identified purposes or as required by law. Destroy, erase, or anonymize data no longer required. Document retention and destruction guidelines. [Ref: PIPEDA Schedule 1, Principle 4.5]", | ||
| checks: [ | ||
| { id: "PIPEDA-05-C1", description: "New purposes require fresh consent", status: "not-implemented" }, | ||
| { id: "PIPEDA-05-C2", description: "Retention schedules documented", status: "not-implemented" }, | ||
| { id: "PIPEDA-05-C3", description: "Destruction/anonymization of expired data", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Accuracy --- | ||
| { | ||
| id: "PIPEDA-06", | ||
| name: "Accuracy (Principle 6)", | ||
| description: "Ensure personal information is accurate, complete, and up-to-date for its intended use.", | ||
| category: "data-inventory", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Minimize the possibility of using inaccurate information for decisions. Update personal information when inaccuracies are identified. Provide mechanisms for individuals to challenge accuracy and have information amended. Do not routinely update data unless necessary for the identified purpose. [Ref: PIPEDA Schedule 1, Principle 4.6]", | ||
| checks: [ | ||
| { id: "PIPEDA-06-C1", description: "Accuracy verification procedures implemented", status: "not-implemented" }, | ||
| { id: "PIPEDA-06-C2", description: "Individual amendment/challenge mechanism available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Safeguards --- | ||
| { | ||
| id: "PIPEDA-07", | ||
| name: "Safeguards (Principle 7)", | ||
| description: "Implement security safeguards appropriate to the sensitivity of the personal information.", | ||
| category: "security-controls", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Protect personal information with safeguards appropriate to sensitivity. Safeguards include: physical measures (locked offices, restricted access), organizational measures (security clearances, need-to-know), and technological measures (passwords, encryption, firewalls). Methods of disposal must prevent unauthorized access. Ensure employees understand the importance of maintaining confidentiality. [Ref: PIPEDA Schedule 1, Principle 4.7; OPC Security Guidance]", | ||
| checks: [ | ||
| { id: "PIPEDA-07-C1", description: "Safeguards proportional to data sensitivity", status: "not-implemented" }, | ||
| { id: "PIPEDA-07-C2", description: "Physical, organizational, and technical safeguards implemented", status: "not-implemented" }, | ||
| { id: "PIPEDA-07-C3", description: "Secure disposal methods preventing unauthorized access", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Access and Individual Rights --- | ||
| { | ||
| id: "PIPEDA-08", | ||
| name: "Openness and Access (Principles 8 & 9)", | ||
| description: "Provide individuals access to their personal information and make privacy policies readily available.", | ||
| category: "data-subject-rights", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Make information about privacy policies and practices readily available. Upon request, inform individuals of the existence, use, and disclosure of their personal information and provide access. Respond within 30 days (extendable by 30). Provide access at minimal or no cost. Allow individuals to challenge the accuracy and completeness of information. Document refusals with reasons. [Ref: PIPEDA Schedule 1, Principles 4.8-4.9; PIPEDA Section 8]", | ||
| checks: [ | ||
| { id: "PIPEDA-08-C1", description: "Privacy policy publicly available", status: "not-implemented" }, | ||
| { id: "PIPEDA-08-C2", description: "Access requests fulfilled within 30 days", status: "not-implemented" }, | ||
| { id: "PIPEDA-08-C3", description: "Accuracy challenge mechanism implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Challenging Compliance --- | ||
| { | ||
| id: "PIPEDA-09", | ||
| name: "Challenging Compliance (Principle 10)", | ||
| description: "Establish procedures to receive and respond to complaints about personal information handling.", | ||
| category: "data-subject-rights", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Establish complaint procedures that are easily accessible and simple to use. Inform complainants of avenues of recourse, including the ability to complain to the OPC. Investigate all complaints and take appropriate remedial action. Document complaints, investigations, and outcomes. [Ref: PIPEDA Schedule 1, Principle 4.10]", | ||
| checks: [ | ||
| { id: "PIPEDA-09-C1", description: "Accessible complaint procedure established", status: "not-implemented" }, | ||
| { id: "PIPEDA-09-C2", description: "OPC escalation communicated to complainants", status: "not-implemented" }, | ||
| { id: "PIPEDA-09-C3", description: "Complaint register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Mandatory Breach Notification --- | ||
| { | ||
| id: "PIPEDA-10", | ||
| name: "Mandatory Breach Notification (RROSH)", | ||
| description: "Notify the OPC and affected individuals of breaches posing a 'real risk of significant harm.'", | ||
| category: "incident-management", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Conduct a Real Risk of Significant Harm (RROSH) assessment for every breach. If a breach poses a real risk of significant harm to an individual, notify: (1) the affected individual(s) directly, (2) the OPC, and (3) any other organization/government institution that may mitigate harm. Maintain a breach record containing: breach description, date/discovery date, number of affected individuals, RROSH assessment, and remediation. Keep breach records for 24 months. [Ref: PIPEDA Section 10.1; Breach of Security Safeguards Regulations]", | ||
| checks: [ | ||
| { id: "PIPEDA-10-C1", description: "RROSH assessment procedure implemented", status: "not-implemented" }, | ||
| { id: "PIPEDA-10-C2", description: "OPC and individual notification for RROSH breaches", status: "not-implemented" }, | ||
| { id: "PIPEDA-10-C3", description: "Breach records maintained for 24 months", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ca-pipeda", | ||
| name: "Canada PIPEDA Pack (10 Fair Information Principles)", | ||
| description: "Comprehensive Canadian PIPEDA controls covering all 10 CSA fair information principles (Schedule 1): accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, challenging compliance, plus mandatory RROSH breach notification (Section 10.1).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PIPEDA"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // CALIFORNIA — CPRA (California Privacy Rights Act of 2020) | ||
| // Amends CCPA (California Consumer Privacy Act of 2018) | ||
| // Civil Code Sections 1798.100 - 1798.199.100 | ||
| // Regulator: California Privacy Protection Agency (CPPA) | ||
| // ============================================================ | ||
| export function createCaliforniaCRPAPolicyPack() { | ||
| const controls = [ | ||
| // --- Consumer Rights --- | ||
| { | ||
| id: "CPRA-01", | ||
| name: "Right to Know and Access", | ||
| description: "Implement consumer rights to know what personal information is collected, used, shared, or sold.", | ||
| category: "data-subject-rights", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Provide consumers the right to: (1) know the categories and specific pieces of personal information collected, (2) know the categories of sources, (3) know the business/commercial purpose for collecting/selling/sharing, (4) know the categories of third parties receiving data. Provide two methods for submitting requests (at minimum a toll-free number and internet address). Verify the consumer's identity. Respond within 45 days (extendable by 45). [Ref: Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115]", | ||
| checks: [ | ||
| { id: "CPRA-01-C1", description: "Two request submission methods available", status: "not-implemented" }, | ||
| { id: "CPRA-01-C2", description: "Identity verification procedure implemented", status: "not-implemented" }, | ||
| { id: "CPRA-01-C3", description: "Response within 45 days (90 max)", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CPRA-02", | ||
| name: "Right to Delete", | ||
| description: "Allow consumers to request deletion of their personal information.", | ||
| category: "data-subject-rights", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Upon a verifiable consumer request, delete the consumer's personal information from business records and direct service providers/contractors to delete. Exceptions include: completing transactions, security/fraud detection, debugging, exercising free speech, complying with legal obligations, internal uses aligned with consumer expectations, and legal compliance. [Ref: Cal. Civ. Code § 1798.105]", | ||
| checks: [ | ||
| { id: "CPRA-02-C1", description: "Deletion request process implemented", status: "not-implemented" }, | ||
| { id: "CPRA-02-C2", description: "Service provider deletion directed", status: "not-implemented" }, | ||
| { id: "CPRA-02-C3", description: "Exceptions documented and applied appropriately", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CPRA-03", | ||
| name: "Right to Correct", | ||
| description: "Allow consumers to correct inaccurate personal information maintained by the business.", | ||
| category: "data-subject-rights", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Implement a mechanism for consumers to request correction of inaccurate personal information. Use reasonable efforts to verify accuracy before correcting. Consider the nature of the personal information, its use, and the potential impact on the consumer. Communicate the outcome of correction requests. [Ref: Cal. Civ. Code § 1798.106; CPRA added this right]", | ||
| checks: [ | ||
| { id: "CPRA-03-C1", description: "Correction request process implemented", status: "not-implemented" }, | ||
| { id: "CPRA-03-C2", description: "Reasonable accuracy verification before correction", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CPRA-04", | ||
| name: "Right to Opt-Out of Sale/Sharing", | ||
| description: "Provide mechanisms for consumers to opt out of sale or sharing of personal information.", | ||
| category: "consent-management", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Provide a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on the homepage. Honor Global Privacy Control (GPC) browser signals as a valid opt-out request. Do not require account creation to submit opt-out requests. Do not discriminate against consumers who exercise their rights (except for permitted financial incentives). Allow authorized agents to submit requests on behalf of consumers. [Ref: Cal. Civ. Code § 1798.120, § 1798.135; CPPA GPC Regulations]", | ||
| checks: [ | ||
| { id: "CPRA-04-C1", description: "'Do Not Sell or Share' link on homepage", status: "not-implemented" }, | ||
| { id: "CPRA-04-C2", description: "GPC browser signals honored", status: "not-implemented" }, | ||
| { id: "CPRA-04-C3", description: "No account requirement for opt-out", status: "not-implemented" }, | ||
| { id: "CPRA-04-C4", description: "Authorized agent requests supported", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CPRA-05", | ||
| name: "Sensitive Personal Information Controls", | ||
| description: "Allow consumers to limit use and disclosure of sensitive personal information.", | ||
| category: "consent-management", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement a 'Limit the Use of My Sensitive Personal Information' link. Sensitive PI includes: SSN/driver's license/state ID, financial account info with access codes, precise geolocation, racial/ethnic origin, religious beliefs, private communications, genetic/biometric/health data, sex life/orientation. Consumers may limit use to what is necessary for performing services or providing goods. [Ref: Cal. Civ. Code § 1798.121; CPRA Definition of Sensitive PI § 1798.140(ae)]", | ||
| checks: [ | ||
| { id: "CPRA-05-C1", description: "'Limit Sensitive PI' link on homepage", status: "not-implemented" }, | ||
| { id: "CPRA-05-C2", description: "Sensitive PI categories identified and mapped", status: "not-implemented" }, | ||
| { id: "CPRA-05-C3", description: "Use limiting mechanism implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Privacy Notice & Disclosures --- | ||
| { | ||
| id: "CPRA-06", | ||
| name: "Privacy Policy Requirements", | ||
| description: "Publish a privacy policy meeting all CPRA disclosure requirements.", | ||
| category: "privacy-governance", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Publish a privacy policy describing: categories of PI collected, retention periods per category, categories of PI sold/shared, consumers' rights and how to exercise them, GPC recognition, financial incentive programs, PI collection/use/sources/categories of third parties, purpose of collecting/sharing, whether the business processes PI for secondary uses, whether assessments are conducted, and contact methods. Update at least every 12 months. Submit to CPPA registry if required. [Ref: Cal. Civ. Code § 1798.130; CPPA Privacy Policy Regulations]", | ||
| checks: [ | ||
| { id: "CPRA-06-C1", description: "Privacy policy includes all CPRA-required disclosures", status: "not-implemented" }, | ||
| { id: "CPRA-06-C2", description: "Retention periods disclosed per data category", status: "not-implemented" }, | ||
| { id: "CPRA-06-C3", description: "Policy reviewed at least annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Service Provider / Contractor Contracts --- | ||
| { | ||
| id: "CPRA-07", | ||
| name: "Service Provider and Contractor Contracts", | ||
| description: "Execute CPRA-compliant contracts with all service providers, contractors, and third parties.", | ||
| category: "vendor-management", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Execute written contracts with service providers/contractors that: set out specific business purposes, prohibit using PI for other purposes, prohibit combining with other data (except permitted), prohibit selling/sharing, require notification of inability to comply within 5 days, grant audit rights, require sub-processor flow-down, and specify security measures. For third parties receiving PI, contract must prohibit combining for cross-context behavioral advertising. [Ref: Cal. Civ. Code § 1798.140(ag), § 1798.100(d); CPPA Contract Regulations]", | ||
| checks: [ | ||
| { id: "CPRA-07-C1", description: "CPRA-compliant contracts with all service providers", status: "not-implemented" }, | ||
| { id: "CPRA-07-C2", description: "Audit rights and sub-processor flow-down included", status: "not-implemented" }, | ||
| { id: "CPRA-07-C3", description: "Cross-context behavioral advertising prohibition in third-party contracts", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Data Protection Assessments --- | ||
| { | ||
| id: "CPRA-08", | ||
| name: "Cybersecurity Audits and DPAs", | ||
| description: "Conduct cybersecurity audits and data protection assessments for processing activities presenting significant risk.", | ||
| category: "privacy-governance", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Conduct regular cybersecurity audits. Perform Data Protection Assessments for processing activities that present significant risk to consumer privacy or security, including: selling/sharing PI, processing sensitive PI, automated decision-making technology (ADMT), and processing for purposes incompatible with disclosed purposes. Document assessments and make available to the CPPA upon request. [Ref: Cal. Civ. Code § 1798.185(a)(15); CPPA ADMT and Risk Assessment Regulations]", | ||
| checks: [ | ||
| { id: "CPRA-08-C1", description: "Cybersecurity audit program established", status: "not-implemented" }, | ||
| { id: "CPRA-08-C2", description: "DPAs conducted for significant-risk processing", status: "not-implemented" }, | ||
| { id: "CPRA-08-C3", description: "ADMT assessments conducted where applicable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Data Minimization & Purpose Limitation --- | ||
| { | ||
| id: "CPRA-09", | ||
| name: "Data Minimization and Purpose Limitation", | ||
| description: "Collect and process personal information only for specific, explicit, and disclosed purposes.", | ||
| category: "data-inventory", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Collect, use, retain, and share only what is reasonably necessary and proportionate to the disclosed purposes. Document collection purposes and verify minimization. Do not use PI for incompatible secondary purposes without notice and consent. Retain PI no longer than necessary for the purpose. [Ref: Cal. Civ. Code § 1798.100(c)]", | ||
| checks: [ | ||
| { id: "CPRA-09-C1", description: "Collection limited to reasonably necessary data", status: "not-implemented" }, | ||
| { id: "CPRA-09-C2", description: "Purpose compatibility assessed before secondary use", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "us-cpra", | ||
| name: "California CPRA Pack (CCPA as amended by CPRA 2020)", | ||
| description: "Comprehensive California privacy controls covering CPRA/CCPA: right to know/access (§1798.100-115), right to delete (§1798.105), right to correct (§1798.106), opt-out of sale/sharing with GPC support (§1798.120/135), sensitive PI controls (§1798.121), privacy policy requirements, service provider contracts, cybersecurity audits and DPAs (§1798.185), and data minimization.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["CPRA"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createSingaporePDPAPolicyPack(): PolicyPack; | ||
| export declare function createPhilippinesDPAPolicyPack(): PolicyPack; | ||
| export declare function createJapanAPPIPolicyPack(): PolicyPack; | ||
| export declare function createSouthKoreaPIPAPolicyPack(): PolicyPack; | ||
| export declare function createChinaPIPLPolicyPack(): PolicyPack; | ||
| export declare function createIndiaDPDPAPolicyPack(): PolicyPack; |
Sorry, the diff of this file is too big to display
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createPrivacyCorePolicyPack(): PolicyPack; |
| export function createPrivacyCorePolicyPack() { | ||
| const controls = [ | ||
| // ============================================================ | ||
| // PRIV-GOV — GOVERNANCE | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-GOV-01", | ||
| name: "Privacy Program", | ||
| description: "Establish and maintain a formal privacy program with defined scope, objectives, and oversight.", | ||
| category: "privacy-governance", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Define a privacy program charter with scope, objectives, governance structure, and reporting cadence. Assign executive sponsorship. Document the program's alignment with business objectives and regulatory requirements. Review and update the charter annually.", | ||
| checks: [ | ||
| { id: "PRIV-GOV-01-C1", description: "Privacy program charter documented and approved", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-01-C2", description: "Executive sponsor assigned and documented", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-01-C3", description: "Program reviewed and updated annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-GOV-02", | ||
| name: "Privacy Policies", | ||
| description: "Develop, approve, and maintain privacy policies that govern personal data processing.", | ||
| category: "privacy-governance", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Create a comprehensive privacy policy covering data collection, use, sharing, retention, and individual rights. Ensure policies are accessible, written in plain language, and available in relevant languages. Review and update policies at least annually or upon significant changes.", | ||
| checks: [ | ||
| { id: "PRIV-GOV-02-C1", description: "Privacy policy published and accessible", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-02-C2", description: "Internal privacy procedures documented", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-02-C3", description: "Policies reviewed at least annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-GOV-03", | ||
| name: "Data Protection Officer", | ||
| description: "Appoint a Data Protection Officer (DPO) or privacy lead with defined responsibilities and authority.", | ||
| category: "privacy-governance", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Appoint a DPO or equivalent privacy lead. Define their responsibilities: monitoring compliance, advising on privacy impact assessments, cooperating with regulators, and serving as a contact point for data subjects. Ensure the DPO reports to the highest level of management and operates independently.", | ||
| checks: [ | ||
| { id: "PRIV-GOV-03-C1", description: "DPO or privacy lead appointed and documented", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-03-C2", description: "DPO responsibilities defined and communicated", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-03-C3", description: "DPO contact information publicly available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-GOV-04", | ||
| name: "Privacy Risk Management", | ||
| description: "Establish a privacy risk management process integrated with the overall risk management framework.", | ||
| category: "privacy-governance", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define a privacy risk assessment methodology. Identify, analyze, and evaluate privacy risks. Define risk thresholds and treatment strategies (accept, mitigate, transfer, avoid). Document risk decisions and track remediation. Integrate with enterprise risk management.", | ||
| checks: [ | ||
| { id: "PRIV-GOV-04-C1", description: "Privacy risk methodology documented", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-04-C2", description: "Privacy risk register maintained", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-04-C3", description: "Risk treatment decisions documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-GOV-05", | ||
| name: "Management Review", | ||
| description: "Conduct regular management reviews of the privacy program's effectiveness.", | ||
| category: "privacy-governance", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Schedule privacy program reviews at least quarterly with senior management. Review metrics, incident trends, audit findings, risk status, and regulatory changes. Document review outcomes and action items. Track action item completion.", | ||
| checks: [ | ||
| { id: "PRIV-GOV-05-C1", description: "Management review conducted at least quarterly", status: "not-implemented" }, | ||
| { id: "PRIV-GOV-05-C2", description: "Review outcomes and actions documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-INV — DATA INVENTORY | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-INV-01", | ||
| name: "Data Inventory Register", | ||
| description: "Maintain a comprehensive inventory of all personal data collected, processed, and stored.", | ||
| category: "data-inventory", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Create and maintain a data inventory that documents: data categories, data sources, collection methods, processing purposes, storage locations, retention periods, access controls, and third-party sharing. Use automated discovery tools where possible. Review and update the inventory at least annually.", | ||
| checks: [ | ||
| { id: "PRIV-INV-01-C1", description: "Data inventory register maintained and up-to-date", status: "not-implemented" }, | ||
| { id: "PRIV-INV-01-C2", description: "Inventory includes all required metadata fields", status: "not-implemented" }, | ||
| { id: "PRIV-INV-01-C3", description: "Inventory reviewed at least annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-INV-02", | ||
| name: "Data Flow Mapping", | ||
| description: "Document the flow of personal data through systems, applications, and third parties.", | ||
| category: "data-inventory", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Create data flow maps showing how personal data moves through the organization: collection points, processing systems, storage locations, third-party transfers, and deletion points. Identify cross-border data flows. Update maps when processing activities change.", | ||
| checks: [ | ||
| { id: "PRIV-INV-02-C1", description: "Data flow maps documented for all processing activities", status: "not-implemented" }, | ||
| { id: "PRIV-INV-02-C2", description: "Cross-border data flows identified and mapped", status: "not-implemented" }, | ||
| { id: "PRIV-INV-02-C3", description: "Maps updated when processing activities change", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-INV-03", | ||
| name: "Processing Activity Records", | ||
| description: "Maintain records of processing activities (ROPA) as required by applicable privacy laws.", | ||
| category: "data-inventory", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Maintain a ROPA documenting: processing purposes, data categories, data subjects, recipients, third-country transfers, retention periods, and security measures. Keep records current and available for regulatory inspection. Align format with applicable legal requirements (e.g., GDPR Article 30).", | ||
| checks: [ | ||
| { id: "PRIV-INV-03-C1", description: "ROPA maintained and accessible for regulatory inspection", status: "not-implemented" }, | ||
| { id: "PRIV-INV-03-C2", description: "ROPA includes all legally required fields", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-INV-04", | ||
| name: "System Classification", | ||
| description: "Classify systems and applications based on the sensitivity of personal data they process.", | ||
| category: "data-inventory", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Assign data classification levels (public, internal, confidential, restricted) to all systems processing personal data. Define handling requirements per classification level. Implement access controls aligned with classification. Review classifications when processing changes.", | ||
| checks: [ | ||
| { id: "PRIV-INV-04-C1", description: "All systems classified by data sensitivity", status: "not-implemented" }, | ||
| { id: "PRIV-INV-04-C2", description: "Handling requirements defined per classification", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-CNS — CONSENT & LEGAL BASIS | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-CNS-01", | ||
| name: "Consent Collection", | ||
| description: "Implement mechanisms for collecting, recording, and managing consent for personal data processing.", | ||
| category: "consent-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement a consent management platform that captures granular, informed, and freely given consent. Record: what was consented to, when, how, the privacy policy version, and withdrawal options. Support separate consent for different processing purposes. Ensure consent is as easy to withdraw as to give.", | ||
| checks: [ | ||
| { id: "PRIV-CNS-01-C1", description: "Consent management platform deployed", status: "not-implemented" }, | ||
| { id: "PRIV-CNS-01-C2", description: "Granular consent per processing purpose", status: "not-implemented" }, | ||
| { id: "PRIV-CNS-01-C3", description: "Consent records include timestamp, method, and policy version", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-CNS-02", | ||
| name: "Consent Withdrawal", | ||
| description: "Provide mechanisms for individuals to withdraw consent as easily as it was given.", | ||
| category: "consent-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement a user-facing consent withdrawal mechanism accessible from account settings, privacy preferences, or a dedicated page. Process withdrawal requests within defined timeframes. Stop processing upon withdrawal. Notify third parties of withdrawn consent.", | ||
| checks: [ | ||
| { id: "PRIV-CNS-02-C1", description: "Consent withdrawal mechanism available to users", status: "not-implemented" }, | ||
| { id: "PRIV-CNS-02-C2", description: "Withdrawal processed within defined SLA", status: "not-implemented" }, | ||
| { id: "PRIV-CNS-02-C3", description: "Third parties notified of withdrawn consent", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-CNS-03", | ||
| name: "Legal Basis Documentation", | ||
| description: "Document the legal basis for each personal data processing activity.", | ||
| category: "consent-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "For each processing activity, identify and document the legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests). Conduct legitimate interest assessments where applicable. Maintain documentation alongside the ROPA.", | ||
| checks: [ | ||
| { id: "PRIV-CNS-03-C1", description: "Legal basis documented for each processing activity", status: "not-implemented" }, | ||
| { id: "PRIV-CNS-03-C2", description: "Legitimate interest assessments conducted where applicable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-CNS-04", | ||
| name: "Purpose Limitation", | ||
| description: "Ensure personal data is processed only for specified, explicit, and legitimate purposes.", | ||
| category: "consent-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define and document specific processing purposes for each data collection. Implement technical controls preventing data use beyond stated purposes. Conduct compatibility assessments before reusing data for new purposes. Communicate purposes to data subjects at collection.", | ||
| checks: [ | ||
| { id: "PRIV-CNS-04-C1", description: "Processing purposes documented per data collection", status: "not-implemented" }, | ||
| { id: "PRIV-CNS-04-C2", description: "Compatibility assessment before data reuse", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-DSR — DATA SUBJECT RIGHTS | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-DSR-01", | ||
| name: "Right of Access", | ||
| description: "Provide individuals with the ability to access their personal data upon request.", | ||
| category: "data-subject-rights", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement a DSAR (Data Subject Access Request) process allowing individuals to request a copy of their personal data. Verify identity before disclosure. Provide data in a structured, commonly used, machine-readable format. Respond within statutory timeframes (typically 30 days). Document all requests and responses.", | ||
| checks: [ | ||
| { id: "PRIV-DSR-01-C1", description: "DSAR process implemented and documented", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-01-C2", description: "Identity verification before disclosure", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-01-C3", description: "Responses provided within statutory timeframes", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-DSR-02", | ||
| name: "Right to Rectification", | ||
| description: "Allow individuals to correct inaccurate or incomplete personal data.", | ||
| category: "data-subject-rights", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Provide a mechanism for individuals to request correction of inaccurate personal data. Implement a verification process for rectification requests. Update data across all systems within defined timeframes. Notify third parties of corrections where data was shared.", | ||
| checks: [ | ||
| { id: "PRIV-DSR-02-C1", description: "Rectification request mechanism available", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-02-C2", description: "Corrections propagated across all systems", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-02-C3", description: "Third parties notified of corrections", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-DSR-03", | ||
| name: "Right to Erasure", | ||
| description: "Allow individuals to request deletion of their personal data (right to be forgotten).", | ||
| category: "data-subject-rights", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement a deletion request process with defined criteria for when erasure applies. Verify identity and assess legal obligations before deletion. Delete data from all systems including backups (or flag for deletion on next backup cycle). Notify third parties of erasure. Document the erasure action.", | ||
| checks: [ | ||
| { id: "PRIV-DSR-03-C1", description: "Erasure request process implemented", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-03-C2", description: "Data deleted from all systems including backups", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-03-C3", description: "Third parties notified of erasure", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-DSR-04", | ||
| name: "Right to Data Portability", | ||
| description: "Provide individuals with their personal data in a structured, machine-readable format for transfer.", | ||
| category: "data-subject-rights", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Implement an export mechanism providing personal data in JSON, CSV, or XML format. Ensure the export includes all personal data provided by the individual and data generated from their activity. Provide a direct transfer option to another controller where technically feasible.", | ||
| checks: [ | ||
| { id: "PRIV-DSR-04-C1", description: "Data export in machine-readable format available", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-04-C2", description: "Direct transfer to another controller supported", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-DSR-05", | ||
| name: "Right to Object", | ||
| description: "Allow individuals to object to processing of their personal data for specific purposes.", | ||
| category: "data-subject-rights", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Provide a mechanism for individuals to object to processing (especially direct marketing, profiling, and research). Stop processing upon valid objection unless compelling legitimate grounds exist. Inform individuals of their right to object at the point of collection and in privacy notices.", | ||
| checks: [ | ||
| { id: "PRIV-DSR-05-C1", description: "Objection mechanism available to individuals", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-05-C2", description: "Processing stopped upon valid objection", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-05-C3", description: "Right to object communicated in privacy notices", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-DSR-06", | ||
| name: "Automated Decision Review", | ||
| description: "Protect individuals from solely automated decisions with legal or significant effects, including profiling.", | ||
| category: "data-subject-rights", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Identify all automated decision-making systems and profiling activities. Implement safeguards: human intervention, ability to contest decisions, and explanation of logic. Obtain explicit consent for automated decisions where required. Document the algorithms and criteria used.", | ||
| checks: [ | ||
| { id: "PRIV-DSR-06-C1", description: "Automated decision systems identified and documented", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-06-C2", description: "Human intervention capability available", status: "not-implemented" }, | ||
| { id: "PRIV-DSR-06-C3", description: "Decision explanation provided to individuals", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-SEC — SECURITY CONTROLS | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-SEC-01", | ||
| name: "Access Management", | ||
| description: "Implement role-based access controls for systems processing personal data.", | ||
| category: "security-controls", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement RBAC for all systems processing personal data. Apply least privilege principle. Conduct quarterly access reviews. Implement just-in-time access for privileged operations. Log and monitor all access to personal data.", | ||
| checks: [ | ||
| { id: "PRIV-SEC-01-C1", description: "RBAC implemented for all personal data systems", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-01-C2", description: "Quarterly access reviews conducted", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-01-C3", description: "All personal data access logged", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-SEC-02", | ||
| name: "Encryption", | ||
| description: "Encrypt personal data at rest and in transit using industry-standard algorithms.", | ||
| category: "security-controls", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement AES-256-GCM encryption at rest for all personal data. Enforce TLS 1.2+ for all data in transit. Implement field-level encryption for highly sensitive data (PII, health data, financial data). Manage encryption keys using a KMS or HSM. Rotate keys periodically.", | ||
| checks: [ | ||
| { id: "PRIV-SEC-02-C1", description: "AES-256 encryption at rest for personal data", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-02-C2", description: "TLS 1.2+ for all data in transit", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-02-C3", description: "Field-level encryption for sensitive PII", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-02-C4", description: "Key management via KMS/HSM", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-SEC-03", | ||
| name: "Pseudonymisation and Anonymisation", | ||
| description: "Implement pseudonymisation and anonymisation techniques to reduce privacy risk.", | ||
| category: "security-controls", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement pseudonymisation for data used in analytics, testing, and research. Store mapping keys separately from pseudonymised data. Implement anonymisation techniques (k-anonymity, differential privacy) for published datasets. Verify anonymisation effectiveness before publishing.", | ||
| checks: [ | ||
| { id: "PRIV-SEC-03-C1", description: "Pseudonymisation implemented for analytics/testing", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-03-C2", description: "Mapping keys stored separately", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-03-C3", description: "Anonymisation verified before data publication", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-SEC-04", | ||
| name: "Secure Development", | ||
| description: "Integrate privacy and security controls into the software development lifecycle.", | ||
| category: "security-controls", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement privacy by design principles in the SDLC. Conduct privacy impact assessments for new features. Integrate SAST/DAST into CI/CD pipelines. Perform security code reviews. Train developers on secure coding practices.", | ||
| checks: [ | ||
| { id: "PRIV-SEC-04-C1", description: "Privacy by design integrated into SDLC", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-04-C2", description: "SAST/DAST in CI/CD pipelines", status: "not-implemented" }, | ||
| { id: "PRIV-SEC-04-C3", description: "Security code reviews conducted", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-INC — INCIDENT & BREACH MANAGEMENT | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-INC-01", | ||
| name: "Incident Response Plan", | ||
| description: "Develop and maintain a privacy incident response plan with defined roles and procedures.", | ||
| category: "incident-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Create a privacy incident response plan covering: detection, classification, containment, eradication, notification, and recovery. Define roles and responsibilities (IR team, legal, communications, DPO). Test the plan annually via tabletop exercises. Update based on lessons learned.", | ||
| checks: [ | ||
| { id: "PRIV-INC-01-C1", description: "Privacy incident response plan documented", status: "not-implemented" }, | ||
| { id: "PRIV-INC-01-C2", description: "Roles and responsibilities defined", status: "not-implemented" }, | ||
| { id: "PRIV-INC-01-C3", description: "Plan tested annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-INC-02", | ||
| name: "Breach Classification", | ||
| description: "Establish criteria for classifying privacy breach severity and determining notification obligations.", | ||
| category: "incident-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define breach severity levels based on data types, volume, sensitivity, and risk to individuals. Create a decision matrix for regulatory notification thresholds. Document assessment procedures. Train incident responders on classification criteria.", | ||
| checks: [ | ||
| { id: "PRIV-INC-02-C1", description: "Breach classification criteria documented", status: "not-implemented" }, | ||
| { id: "PRIV-INC-02-C2", description: "Notification decision matrix defined", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-INC-03", | ||
| name: "Regulatory Notification", | ||
| description: "Implement procedures for notifying regulators of qualifying privacy breaches within statutory timeframes.", | ||
| category: "incident-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Define regulatory notification procedures for all applicable jurisdictions. Map notification timeframes per jurisdiction (e.g., GDPR 72 hours, various state laws 30-90 days). Prepare notification templates. Maintain regulator contact information. Test notification workflows.", | ||
| checks: [ | ||
| { id: "PRIV-INC-03-C1", description: "Notification procedures documented per jurisdiction", status: "not-implemented" }, | ||
| { id: "PRIV-INC-03-C2", description: "Notification templates prepared", status: "not-implemented" }, | ||
| { id: "PRIV-INC-03-C3", description: "Regulator contact information maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-INC-04", | ||
| name: "Data Subject Notification", | ||
| description: "Implement procedures for notifying affected individuals of qualifying privacy breaches.", | ||
| category: "incident-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define criteria for when individual notification is required (high risk to rights and freedoms). Prepare notification templates in relevant languages. Define communication channels (email, mail, in-app, public notice). Coordinate timing with regulatory notifications.", | ||
| checks: [ | ||
| { id: "PRIV-INC-04-C1", description: "Individual notification criteria defined", status: "not-implemented" }, | ||
| { id: "PRIV-INC-04-C2", description: "Multi-language notification templates prepared", status: "not-implemented" }, | ||
| { id: "PRIV-INC-04-C3", description: "Communication channels defined", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-VEN — THIRD-PARTY MANAGEMENT | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-VEN-01", | ||
| name: "Vendor Due Diligence", | ||
| description: "Conduct privacy and security due diligence before engaging vendors processing personal data.", | ||
| category: "vendor-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Establish a vendor assessment process evaluating privacy practices, security controls, certifications (ISO 27001, SOC 2), and compliance history. Classify vendors by risk level. Require completion of security questionnaires. Document assessment results and risk decisions.", | ||
| checks: [ | ||
| { id: "PRIV-VEN-01-C1", description: "Vendor assessment process documented and enforced", status: "not-implemented" }, | ||
| { id: "PRIV-VEN-01-C2", description: "Vendors classified by risk level", status: "not-implemented" }, | ||
| { id: "PRIV-VEN-01-C3", description: "Security questionnaires completed for high-risk vendors", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-VEN-02", | ||
| name: "Processor Agreements", | ||
| description: "Execute data processing agreements (DPAs) with all vendors acting as data processors.", | ||
| category: "vendor-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Execute DPAs with all processors before data sharing. Ensure DPAs define: processing scope, security obligations, sub-processor controls, breach notification timelines, data return/deletion, and audit rights. Review and renew DPAs at least annually or upon material changes.", | ||
| checks: [ | ||
| { id: "PRIV-VEN-02-C1", description: "DPAs executed with all processors", status: "not-implemented" }, | ||
| { id: "PRIV-VEN-02-C2", description: "DPAs include all legally required clauses", status: "not-implemented" }, | ||
| { id: "PRIV-VEN-02-C3", description: "DPAs reviewed and renewed annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-VEN-03", | ||
| name: "Ongoing Monitoring", | ||
| description: "Monitor vendor compliance with privacy and security requirements throughout the relationship.", | ||
| category: "vendor-management", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Conduct periodic reviews of vendor security posture. Require annual SOC 2 or equivalent reports. Track vendor breach notifications. Monitor for changes in vendor security certifications. Reassess vendors upon scope changes or incidents.", | ||
| checks: [ | ||
| { id: "PRIV-VEN-03-C1", description: "Annual vendor security reviews conducted", status: "not-implemented" }, | ||
| { id: "PRIV-VEN-03-C2", description: "Vendor breach notifications tracked", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-XBT — CROSS-BORDER TRANSFERS | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-XBT-01", | ||
| name: "Transfer Assessment", | ||
| description: "Identify and document all cross-border personal data transfers.", | ||
| category: "cross-border-transfers", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Map all international personal data transfers including: source/destination countries, data categories, transfer mechanisms, recipients, and purpose. Maintain a transfer register. Update when new transfers are established. Identify transfers to non-adequate countries.", | ||
| checks: [ | ||
| { id: "PRIV-XBT-01-C1", description: "Cross-border transfer register maintained", status: "not-implemented" }, | ||
| { id: "PRIV-XBT-01-C2", description: "All transfers mapped with countries and mechanisms", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-XBT-02", | ||
| name: "Adequacy Assessment", | ||
| description: "Determine whether destination countries have adequate data protection levels.", | ||
| category: "cross-border-transfers", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Maintain a list of countries recognized as providing adequate data protection (EU adequacy decisions, UK adequacy regulations, etc.). Verify adequacy status before transferring data. For non-adequate countries, implement appropriate safeguards (SCCs, BCRs, or derogations).", | ||
| checks: [ | ||
| { id: "PRIV-XBT-02-C1", description: "Adequacy status tracked per destination country", status: "not-implemented" }, | ||
| { id: "PRIV-XBT-02-C2", description: "Safeguards implemented for non-adequate transfers", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-XBT-03", | ||
| name: "Standard Contractual Clauses", | ||
| description: "Execute Standard Contractual Clauses (SCCs) or equivalent safeguards for non-adequate transfers.", | ||
| category: "cross-border-transfers", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Execute the latest version of SCCs (EU SCCs, UK IDTA, or equivalent) for all transfers to non-adequate countries. Conduct Transfer Impact Assessments (TIAs) before relying on SCCs. Implement supplementary measures where TIAs identify risks. Maintain executed SCC records.", | ||
| checks: [ | ||
| { id: "PRIV-XBT-03-C1", description: "SCCs executed for all non-adequate transfers", status: "not-implemented" }, | ||
| { id: "PRIV-XBT-03-C2", description: "Transfer Impact Assessments conducted", status: "not-implemented" }, | ||
| { id: "PRIV-XBT-03-C3", description: "Supplementary measures implemented where needed", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-XBT-04", | ||
| name: "Data Localization Requirements", | ||
| description: "Identify and comply with data localization mandates applicable to the organization.", | ||
| category: "cross-border-transfers", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Identify countries with data localization requirements (e.g., China PIPL, Russia, India DPDPA for certain data). Implement technical controls ensuring affected data remains within required jurisdictions. Monitor regulatory changes affecting localization obligations. Document compliance measures.", | ||
| checks: [ | ||
| { id: "PRIV-XBT-04-C1", description: "Data localization requirements identified per jurisdiction", status: "not-implemented" }, | ||
| { id: "PRIV-XBT-04-C2", description: "Technical controls enforce localization", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-RET — RETENTION & DISPOSAL | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-RET-01", | ||
| name: "Retention Schedule", | ||
| description: "Define and enforce data retention periods for each category of personal data.", | ||
| category: "data-retention", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Create a retention schedule defining how long each data category is retained based on legal requirements, business needs, and contractual obligations. Implement automated retention enforcement (TTL, scheduled deletion). Review and update the schedule at least annually. Document retention decisions.", | ||
| checks: [ | ||
| { id: "PRIV-RET-01-C1", description: "Retention schedule documented per data category", status: "not-implemented" }, | ||
| { id: "PRIV-RET-01-C2", description: "Automated retention enforcement implemented", status: "not-implemented" }, | ||
| { id: "PRIV-RET-01-C3", description: "Retention schedule reviewed annually", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-RET-02", | ||
| name: "Secure Disposal", | ||
| description: "Implement secure disposal procedures for personal data that has exceeded retention.", | ||
| category: "data-retention", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Define secure disposal methods for digital data (cryptographic erase, overwriting, secure deletion) and physical media (shredding, degaussing, incineration). Document disposal actions including date, method, data category, and personnel. Verify disposal effectiveness periodically.", | ||
| checks: [ | ||
| { id: "PRIV-RET-02-C1", description: "Secure disposal procedures documented", status: "not-implemented" }, | ||
| { id: "PRIV-RET-02-C2", description: "Disposal actions logged and verified", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-RET-03", | ||
| name: "Data Minimization", | ||
| description: "Collect and retain only the minimum personal data necessary for stated purposes.", | ||
| category: "data-retention", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Implement data minimization principles: collect only data necessary for the stated purpose, implement field-level controls in forms, conduct periodic data minimization reviews, and anonymize or delete data no longer needed.", | ||
| checks: [ | ||
| { id: "PRIV-RET-03-C1", description: "Data minimization principles applied to collection forms", status: "not-implemented" }, | ||
| { id: "PRIV-RET-03-C2", description: "Periodic minimization reviews conducted", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // ============================================================ | ||
| // PRIV-TRN — TRAINING & AWARENESS | ||
| // ============================================================ | ||
| { | ||
| id: "PRIV-TRN-01", | ||
| name: "Employee Privacy Training", | ||
| description: "Provide privacy awareness training to all employees upon hire and at least annually.", | ||
| category: "privacy-training", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Provide privacy training covering: data handling procedures, individual rights, breach reporting, data minimization, secure communication, and applicable privacy laws. Track completion. Require annual refresher training. Update content to reflect regulatory changes.", | ||
| checks: [ | ||
| { id: "PRIV-TRN-01-C1", description: "Privacy training provided on hire", status: "not-implemented" }, | ||
| { id: "PRIV-TRN-01-C2", description: "Annual refresher training completed by all staff", status: "not-implemented" }, | ||
| { id: "PRIV-TRN-01-C3", description: "Training completion tracked", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-TRN-02", | ||
| name: "Specialized Role Training", | ||
| description: "Provide role-specific privacy training to personnel with specialized privacy responsibilities.", | ||
| category: "privacy-training", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Identify roles requiring specialized training (developers, system admins, customer support, HR, legal). Develop role-specific training modules. Include hands-on exercises for data handling, DSAR processing, and breach response. Update training content annually.", | ||
| checks: [ | ||
| { id: "PRIV-TRN-02-C1", description: "Specialized roles identified and documented", status: "not-implemented" }, | ||
| { id: "PRIV-TRN-02-C2", description: "Role-specific training modules delivered", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PRIV-TRN-03", | ||
| name: "Privacy Awareness Program", | ||
| description: "Maintain ongoing privacy awareness activities beyond formal training.", | ||
| category: "privacy-training", | ||
| framework: "PRIVACY-CORE", | ||
| status: "not-implemented", | ||
| severity: "low", | ||
| implementation_guidance: "Conduct ongoing awareness activities: privacy newsletters, awareness campaigns (Data Privacy Day), phishing simulations, privacy tips in internal communications, and visible privacy policy reminders. Measure awareness through periodic assessments.", | ||
| checks: [ | ||
| { id: "PRIV-TRN-03-C1", description: "Ongoing awareness activities conducted", status: "not-implemented" }, | ||
| { id: "PRIV-TRN-03-C2", description: "Awareness measured through periodic assessments", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "privacy-core", | ||
| name: "Privacy Core Framework (Global Baseline)", | ||
| description: "Universal privacy controls covering 10 core domains: Governance, Data Inventory, Consent Management, Data Subject Rights, Security Controls, Incident Management, Third-Party Management, Cross-Border Transfers, Retention & Disposal, and Training & Awareness. This is the foundational layer — install country packs on top for jurisdiction-specific requirements.", | ||
| version: "1.0.0", | ||
| project_types: [ | ||
| "saas", | ||
| "ai-application", | ||
| "healthcare-system", | ||
| "generic-web-application", | ||
| "api-backend", | ||
| "mobile-application", | ||
| "government-system", | ||
| "mcp-server", | ||
| "blockchain", | ||
| "event-platform", | ||
| "photo-storage-platform", | ||
| "vulnerability-scanner", | ||
| "wallet", | ||
| ], | ||
| controls, | ||
| frameworks: ["PRIVACY-CORE"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createUKGDPRPolicyPack(): PolicyPack; | ||
| export declare function createSwissFADPPolicyPack(): PolicyPack; | ||
| export declare function createSingaporePDPAPolicyPack(): PolicyPack; | ||
| export declare function createPhilippinesDPAPolicyPack(): PolicyPack; | ||
| export declare function createJapanAPPIPolicyPack(): PolicyPack; | ||
| export declare function createSouthKoreaPIPAPolicyPack(): PolicyPack; | ||
| export declare function createChinaPIPLPolicyPack(): PolicyPack; | ||
| export declare function createIndiaDPDPAPolicyPack(): PolicyPack; | ||
| export declare function createBrazilLGPDPolicyPack(): PolicyPack; | ||
| export declare function createCanadaPIPEDAPolicyPack(): PolicyPack; | ||
| export declare function createCaliforniaCRPAPolicyPack(): PolicyPack; | ||
| export declare function createSouthAfricaPOPIAPolicyPack(): PolicyPack; | ||
| export declare function createUAEPDPLPolicyPack(): PolicyPack; | ||
| export declare function createSaudiArabiaPDPLPolicyPack(): PolicyPack; |
| // ============================================================ | ||
| // EUROPE | ||
| // ============================================================ | ||
| export function createUKGDPRPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "UK-GDPR-01", | ||
| name: "UK Data Protection Act 2018 Compliance", | ||
| description: "Ensure compliance with the UK Data Protection Act 2018 and UK GDPR.", | ||
| category: "privacy-governance", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement UK GDPR requirements including: registering with the ICO if required, maintaining ROPA aligned with UK requirements, conducting DPIAs for high-risk processing, appointing a UK representative if processing UK data from outside the UK, and complying with ICO guidance and codes of practice.", | ||
| checks: [ | ||
| { id: "UK-GDPR-01-C1", description: "ICO registration completed if required", status: "not-implemented" }, | ||
| { id: "UK-GDPR-01-C2", description: "UK-specific ROPA maintained", status: "not-implemented" }, | ||
| { id: "UK-GDPR-01-C3", description: "UK representative appointed if applicable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "UK-GDPR-02", | ||
| name: "UK International Transfers", | ||
| description: "Implement UK-specific international data transfer mechanisms.", | ||
| category: "cross-border-transfers", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs for transfers to non-adequate countries. Conduct Transfer Risk Assessments (TRAs) following ICO guidance. Monitor UK adequacy regulations for updates.", | ||
| checks: [ | ||
| { id: "UK-GDPR-02-C1", description: "IDTA or UK Addendum executed for non-adequate transfers", status: "not-implemented" }, | ||
| { id: "UK-GDPR-02-C2", description: "Transfer Risk Assessments conducted", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "UK-GDPR-03", | ||
| name: "ICO Breach Notification", | ||
| description: "Notify the ICO of personal data breaches within 72 hours.", | ||
| category: "incident-management", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement procedures to notify the ICO of eligible personal data breaches within 72 hours of becoming aware. Use the ICO breach reporting service. Notify affected individuals without undue delay if high risk. Document all breach notifications.", | ||
| checks: [ | ||
| { id: "UK-GDPR-03-C1", description: "ICO breach notification within 72 hours", status: "not-implemented" }, | ||
| { id: "UK-GDPR-03-C2", description: "Individual notification for high-risk breaches", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "uk-gdpr", | ||
| name: "UK GDPR & Data Protection Act 2018 Pack", | ||
| description: "UK-specific privacy controls: ICO registration, UK international transfer mechanisms (IDTA/UK Addendum), and ICO breach notification procedures.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["UK-GDPR"], | ||
| }; | ||
| } | ||
| export function createSwissFADPPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "FADP-01", | ||
| name: "FADP Compliance", | ||
| description: "Ensure compliance with the Swiss Federal Act on Data Protection (FADP, revFSDG).", | ||
| category: "privacy-governance", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement the revised Swiss FADP (in effect since September 2023): maintain a data processing register, appoint a data protection advisor if processing high-risk data on a large scale, provide transparent privacy notices, and comply with FDPIC requirements.", | ||
| checks: [ | ||
| { id: "FADP-01-C1", description: "Data processing register maintained", status: "not-implemented" }, | ||
| { id: "FADP-01-C2", description: "FADP privacy notices published", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-02", | ||
| name: "Swiss Cross-Border Transfers", | ||
| description: "Ensure lawful international data transfers under Swiss FADP.", | ||
| category: "cross-border-transfers", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Ensure transfers to countries without adequate protection are covered by adequate safeguards (SCCs, BCRs, or FDPIC-approved mechanisms). Maintain the list of countries recognized as adequate by the FDPIC. Document transfer assessments.", | ||
| checks: [ | ||
| { id: "FADP-02-C1", description: "Adequate safeguards for non-adequate transfers", status: "not-implemented" }, | ||
| { id: "FADP-02-C2", description: "FDPIC adequacy list maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ch-fadp", | ||
| name: "Switzerland FADP Pack", | ||
| description: "Swiss Federal Act on Data Protection (revFSDG) compliance controls including FDPIC requirements and Swiss cross-border transfer rules.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend"], | ||
| controls, | ||
| frameworks: ["FADP"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // ASIA-PACIFIC | ||
| // ============================================================ | ||
| export function createSingaporePDPAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PDPA-SG-01", | ||
| name: "Accountability Obligation", | ||
| description: "Appoint a Data Protection Officer (DPO) and make their contact information publicly available.", | ||
| category: "privacy-governance", | ||
| framework: "PDPA-SG", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Appoint a DPO and deputy DPO. Publish DPO contact information on the organization's website and in the PDPC's registry. Ensure the DPO has adequate knowledge of PDPA requirements. Develop and implement a data protection policy aligned with PDPC guidelines.", | ||
| checks: [ | ||
| { id: "PDPA-SG-01-C1", description: "DPO appointed and publicly identified", status: "not-implemented" }, | ||
| { id: "PDPA-SG-01-C2", description: "Data protection policy developed", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PDPA-SG-02", | ||
| name: "Data Breach Notification", | ||
| description: "Notify PDPC and affected individuals of qualifying data breaches within 3 calendar days.", | ||
| category: "incident-management", | ||
| framework: "PDPA-SG", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement breach assessment procedures to determine if a breach is notifiable (significant scale or significant harm). Notify the PDPC within 3 calendar days of assessing a breach as notifiable. Notify affected individuals if the breach is likely to result in significant harm. Document all breach notifications.", | ||
| checks: [ | ||
| { id: "PDPA-SG-02-C1", description: "Breach notification to PDPC within 3 days", status: "not-implemented" }, | ||
| { id: "PDPA-SG-02-C2", description: "Individual notification for significant harm breaches", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PDPA-SG-03", | ||
| name: "Do Not Call Registry", | ||
| description: "Comply with Singapore's Do Not Call (DNC) registry requirements for telemarketing.", | ||
| category: "consent-management", | ||
| framework: "PDPA-SG", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Check the DNC registry before sending marketing messages to Singapore phone numbers. Maintain clear consent records for telemarketing. Honor DNC registry and individual opt-out requests. Implement processes to verify DNC status before each campaign.", | ||
| checks: [ | ||
| { id: "PDPA-SG-03-C1", description: "DNC registry checked before telemarketing", status: "not-implemented" }, | ||
| { id: "PDPA-SG-03-C2", description: "Opt-out requests honored promptly", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PDPA-SG-04", | ||
| name: "Data Portability (PDPA Amendment)", | ||
| description: "Implement data portability requirements under the PDPA amendments.", | ||
| category: "data-subject-rights", | ||
| framework: "PDPA-SG", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Implement mechanisms allowing individuals to request their personal data in a structured, commonly used, and machine-readable format. Enable transmission to another organization where applicable. Develop portability request handling procedures.", | ||
| checks: [ | ||
| { id: "PDPA-SG-04-C1", description: "Data portability mechanism implemented", status: "not-implemented" }, | ||
| { id: "PDPA-SG-04-C2", description: "Request handling procedures documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "sg-pdpa", | ||
| name: "Singapore PDPA Pack", | ||
| description: "Singapore Personal Data Protection Act (PDPA) controls: DPO appointment, PDPC breach notification (3 days), Do Not Call registry compliance, and data portability.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PDPA-SG"], | ||
| }; | ||
| } | ||
| export function createPhilippinesDPAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "DPA-PH-01", | ||
| name: "PIC/PIP Responsibilities", | ||
| description: "Designate Personal Information Controller (PIC) and Personal Information Processor (PIP) roles.", | ||
| category: "privacy-governance", | ||
| framework: "DPA-PH", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Designate and document PIC (controller) and PIP (processor) roles. Define their respective responsibilities under the Philippine Data Privacy Act. Ensure contracts between PICs and PIPs clearly define obligations. Implement the principle of accountability throughout the data lifecycle.", | ||
| checks: [ | ||
| { id: "DPA-PH-01-C1", description: "PIC and PIP roles designated and documented", status: "not-implemented" }, | ||
| { id: "DPA-PH-01-C2", description: "PIC-PIP contracts define obligations", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "DPA-PH-02", | ||
| name: "NPC Registration", | ||
| description: "Register with the National Privacy Commission (NPC) as required.", | ||
| category: "privacy-governance", | ||
| framework: "DPA-PH", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Register with the NPC if processing personal data of 1,000+ individuals. Appoint a Data Protection Officer and register them with the NPC. Submit the required registration forms and documentation. Renew registration as required by NPC circulars.", | ||
| checks: [ | ||
| { id: "DPA-PH-02-C1", description: "NPC registration completed if applicable", status: "not-implemented" }, | ||
| { id: "DPA-PH-02-C2", description: "DPO registered with NPC", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "DPA-PH-03", | ||
| name: "NPC Circular Compliance", | ||
| description: "Comply with NPC Circular 16-03 (Security of Personal Data) and NPC Circular 17-01 (Registration).", | ||
| category: "security-controls", | ||
| framework: "DPA-PH", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement NPC Circular 16-03 requirements: physical security, organizational security, and technical security measures. Document data processing systems per Circular 17-01. Conduct privacy impact assessments. Maintain breach management procedures aligned with NPC requirements.", | ||
| checks: [ | ||
| { id: "DPA-PH-03-C1", description: "NPC Circular 16-03 security measures implemented", status: "not-implemented" }, | ||
| { id: "DPA-PH-03-C2", description: "Data processing systems documented per Circular 17-01", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "DPA-PH-04", | ||
| name: "Breach Reporting to NPC", | ||
| description: "Report personal data breaches to the NPC within 72 hours.", | ||
| category: "incident-management", | ||
| framework: "DPA-PH", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement procedures to report breaches involving sensitive personal data or affecting 100+ individuals to the NPC within 72 hours. Notify affected individuals. Document all breach reports and follow-up communications with the NPC.", | ||
| checks: [ | ||
| { id: "DPA-PH-04-C1", description: "NPC breach notification within 72 hours", status: "not-implemented" }, | ||
| { id: "DPA-PH-04-C2", description: "Affected individuals notified", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ph-dpa", | ||
| name: "Philippines Data Privacy Act Pack", | ||
| description: "Philippine Data Privacy Act (DPA) controls: PIC/PIP responsibilities, NPC registration, NPC Circular compliance (16-03, 17-01), and NPC breach reporting (72 hours).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application", "government-system"], | ||
| controls, | ||
| frameworks: ["DPA-PH"], | ||
| }; | ||
| } | ||
| export function createJapanAPPIPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "APPI-01", | ||
| name: "Personal Information Handling Business Operator Compliance", | ||
| description: "Comply with Japan's Act on the Protection of Personal Information (APPI) as a Personal Information Handling Business Operator.", | ||
| category: "privacy-governance", | ||
| framework: "APPI", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Specify the purpose of use for personal data and publish it. Obtain consent for using data beyond the specified purpose. Maintain proper handling of sensitive personal information (race, creed, medical history, criminal records). Respond to disclosure requests from data subjects.", | ||
| checks: [ | ||
| { id: "APPI-01-C1", description: "Purpose of use specified and published", status: "not-implemented" }, | ||
| { id: "APPI-01-C2", description: "Sensitive information handling procedures defined", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "APPI-02", | ||
| name: "Cross-Border Transfer Requirements", | ||
| description: "Implement APPI requirements for transferring personal data to third parties in foreign countries.", | ||
| category: "cross-border-transfers", | ||
| framework: "APPI", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Obtain prior consent for cross-border transfers to countries without equivalent data protection. Inform data subjects of the destination country and its data protection regime. Document the equivalent protection status of destination countries per PPC guidelines.", | ||
| checks: [ | ||
| { id: "APPI-02-C1", description: "Prior consent obtained for cross-border transfers", status: "not-implemented" }, | ||
| { id: "APPI-02-C2", description: "Destination country protection status documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "APPI-03", | ||
| name: "PPC Breach Reporting", | ||
| description: "Report personal data breaches to the Personal Information Protection Commission (PPC).", | ||
| category: "incident-management", | ||
| framework: "APPI", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Report breaches involving sensitive or high-risk personal data to the PPC without delay (within 3-5 days). Notify affected individuals. Document breach details, remediation actions, and preventive measures. Maintain breach records for PPC inspection.", | ||
| checks: [ | ||
| { id: "APPI-03-C1", description: "PPC breach reporting procedures implemented", status: "not-implemented" }, | ||
| { id: "APPI-03-C2", description: "Individual notification for high-risk breaches", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "jp-appi", | ||
| name: "Japan APPI Pack", | ||
| description: "Japan Act on the Protection of Personal Information (APPI) controls: purpose specification, cross-border transfer consent, sensitive data handling, and PPC breach reporting.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["APPI"], | ||
| }; | ||
| } | ||
| export function createSouthKoreaPIPAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PIPA-01", | ||
| name: "Consent Requirements", | ||
| description: "Implement South Korea's strong consent requirements for personal data processing.", | ||
| category: "consent-management", | ||
| framework: "PIPA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Obtain separate consent for each processing purpose. Provide clear information about: collection items, purpose, retention period, and third-party sharing. Obtain explicit opt-in consent (not pre-checked boxes). Implement consent withdrawal mechanisms. Maintain detailed consent records.", | ||
| checks: [ | ||
| { id: "PIPA-01-C1", description: "Separate consent per processing purpose", status: "not-implemented" }, | ||
| { id: "PIPA-01-C2", description: "Explicit opt-in (no pre-checked boxes)", status: "not-implemented" }, | ||
| { id: "PIPA-01-C3", description: "Consent withdrawal mechanism available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPA-02", | ||
| name: "Processing Restrictions", | ||
| description: "Comply with PIPA restrictions on processing sensitive information and unique identifiers.", | ||
| category: "consent-management", | ||
| framework: "PIPA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Obtain separate consent for sensitive information (ideology, health, criminal records). Obtain separate consent for resident registration numbers (RRN). Implement strict security controls for sensitive data. Minimize collection of unique identifiers.", | ||
| checks: [ | ||
| { id: "PIPA-02-C1", description: "Separate consent for sensitive information", status: "not-implemented" }, | ||
| { id: "PIPA-02-C2", description: "Strict security for unique identifiers", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPA-03", | ||
| name: "KISA Breach Notification", | ||
| description: "Report personal data breaches to KISA and affected individuals without delay.", | ||
| category: "incident-management", | ||
| framework: "PIPA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Report breaches to KISA (Korea Internet & Security Agency) without delay upon becoming aware. Notify affected individuals without delay. Document breach details including: cause, scope, data types, mitigation measures, and recurrence prevention plans.", | ||
| checks: [ | ||
| { id: "PIPA-03-C1", description: "KISA breach notification without delay", status: "not-implemented" }, | ||
| { id: "PIPA-03-C2", description: "Individual notification without delay", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "kr-pipa", | ||
| name: "South Korea PIPA Pack", | ||
| description: "South Korea Personal Information Protection Act (PIPA) controls: strong consent requirements, sensitive data restrictions, and KISA breach notification.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PIPA"], | ||
| }; | ||
| } | ||
| export function createChinaPIPLPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PIPL-01", | ||
| name: "Data Localization", | ||
| description: "Implement data localization requirements for personal information collected in China.", | ||
| category: "cross-border-transfers", | ||
| framework: "PIPL", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Store personal information of Chinese residents within mainland China for critical information infrastructure operators (CIIO) and processors exceeding thresholds. Implement technical controls ensuring affected data remains within China. Do not transfer abroad without completing required assessments.", | ||
| checks: [ | ||
| { id: "PIPL-01-C1", description: "Data localization requirements assessed and implemented", status: "not-implemented" }, | ||
| { id: "PIPL-01-C2", description: "Technical controls enforce China data residency", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPL-02", | ||
| name: "CAC Security Assessment", | ||
| description: "Complete Cyberspace Administration of China (CAC) security assessment for cross-border transfers.", | ||
| category: "cross-border-transfers", | ||
| framework: "PIPL", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Complete CAC security assessment before transferring personal information abroad if required (CIIOs, large-scale processors, or sensitive data). Submit to CAC standard contract requirements. Maintain records of CAC assessments and approvals. Monitor CAC threshold updates.", | ||
| checks: [ | ||
| { id: "PIPL-02-C1", description: "CAC security assessment completed for applicable transfers", status: "not-implemented" }, | ||
| { id: "PIPL-02-C2", description: "CAC standard contracts executed", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPL-03", | ||
| name: "Separate Consent for Sensitive Information", | ||
| description: "Obtain separate consent for processing sensitive personal information under PIPL.", | ||
| category: "consent-management", | ||
| framework: "PIPL", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Obtain separate, explicit consent for processing sensitive personal information (biometrics, religion, health, financial data, children under 14). Provide detailed information about necessity and impact. Implement stricter security measures for sensitive data. Document all sensitive data consent records.", | ||
| checks: [ | ||
| { id: "PIPL-03-C1", description: "Separate consent for sensitive personal information", status: "not-implemented" }, | ||
| { id: "PIPL-03-C2", description: "Stricter security for sensitive data", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPL-04", | ||
| name: "PIPL Individual Rights", | ||
| description: "Implement PIPL-specific data subject rights including the right to explanation for automated decisions.", | ||
| category: "data-subject-rights", | ||
| framework: "PIPL", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement rights: access, copy, correction, deletion, restriction, portability, and explanation of automated decisions. Provide mechanisms for individuals to refuse profiling. Respond to requests within 15 working days. Document all requests and responses.", | ||
| checks: [ | ||
| { id: "PIPL-04-C1", description: "All PIPL rights implemented with request mechanisms", status: "not-implemented" }, | ||
| { id: "PIPL-04-C2", description: "Automated decision explanation provided", status: "not-implemented" }, | ||
| { id: "PIPL-04-C3", description: "Responses within 15 working days", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "cn-pipl", | ||
| name: "China PIPL Pack", | ||
| description: "China Personal Information Protection Law (PIPL) controls: data localization, CAC security assessment, separate consent for sensitive data, and PIPL individual rights.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PIPL"], | ||
| }; | ||
| } | ||
| export function createIndiaDPDPAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "DPDPA-01", | ||
| name: "Consent Manager Framework", | ||
| description: "Implement interoperable consent management per India's DPDPA Consent Manager requirements.", | ||
| category: "consent-management", | ||
| framework: "DPDPA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Integrate with DPDP-approved Consent Manager platforms. Ensure consent is free, specific, informed, unconditional, and unambiguous with clear affirmative action. Provide the ability to withdraw consent through the Consent Manager. Maintain verifiable consent records.", | ||
| checks: [ | ||
| { id: "DPDPA-01-C1", description: "Consent Manager integration implemented", status: "not-implemented" }, | ||
| { id: "DPDPA-01-C2", description: "Consent withdrawal via Consent Manager available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "DPDPA-02", | ||
| name: "Significant Data Fiduciary Obligations", | ||
| description: "Comply with enhanced obligations if designated as a Significant Data Fiduciary.", | ||
| category: "privacy-governance", | ||
| framework: "DPDPA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "If designated as a Significant Data Fiduciary by the Central Government: appoint a DPO based in India, conduct Data Protection Impact Assessments, conduct independent data audits, and comply with any additional measures prescribed by the Data Protection Board.", | ||
| checks: [ | ||
| { id: "DPDPA-02-C1", description: "SDF status assessed and documented", status: "not-implemented" }, | ||
| { id: "DPDPA-02-C2", description: "DPO based in India appointed if SDF", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "DPDPA-03", | ||
| name: "Breach Notification to Data Protection Board", | ||
| description: "Report personal data breaches to the Data Protection Board of India.", | ||
| category: "incident-management", | ||
| framework: "DPDPA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Notify affected individuals and the Data Protection Board of any personal data breach. Provide detailed description of the breach, its likely impact, mitigation measures, and actions taken. Implement procedures for timely notification as prescribed by Board regulations.", | ||
| checks: [ | ||
| { id: "DPDPA-03-C1", description: "Board notification procedures implemented", status: "not-implemented" }, | ||
| { id: "DPDPA-03-C2", description: "Affected individuals notified", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "in-dpdpa", | ||
| name: "India DPDPA Pack", | ||
| description: "India Digital Personal Data Protection Act (DPDPA) controls: Consent Manager framework, Significant Data Fiduciary obligations, and Data Protection Board breach reporting.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["DPDPA"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // AMERICAS | ||
| // ============================================================ | ||
| export function createBrazilLGPDPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "LGPD-01", | ||
| name: "Data Protection Officer (Encarregado)", | ||
| description: "Appoint a Data Protection Officer (DPO/Encarregado) and communicate with ANPD.", | ||
| category: "privacy-governance", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Appoint an Encarregado (DPO) who will: communicate with ANPD, handle data subject requests, guide data protection activities, and provide annual reports. Publish DPO contact information on the organization's website. Ensure the DPO has adequate authority and independence.", | ||
| checks: [ | ||
| { id: "LGPD-01-C1", description: "Encarregado appointed and contact info published", status: "not-implemented" }, | ||
| { id: "LGPD-01-C2", description: "Annual ANPD report prepared", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LGPD-02", | ||
| name: "Legal Bases for Processing", | ||
| description: "Identify and document the appropriate legal basis for each processing activity under LGPD.", | ||
| category: "consent-management", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Document the legal basis for each processing activity: consent, contract performance, legal obligation, public policy, research, legitimate interests, credit protection, or health protection. Maintain records alongside the ROPA. Conduct legitimate interest assessments where applicable.", | ||
| checks: [ | ||
| { id: "LGPD-02-C1", description: "Legal basis documented per processing activity", status: "not-implemented" }, | ||
| { id: "LGPD-02-C2", description: "Legitimate interest assessments conducted", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LGPD-03", | ||
| name: "ANPD Breach Notification", | ||
| description: "Notify ANPD and affected individuals of data security incidents that may cause risk or damage.", | ||
| category: "incident-management", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Notify ANPD within a reasonable timeframe of becoming aware of a security incident that may cause risk or relevant damage to data subjects. Include: nature of the incident, affected data, technical security measures, risk assessment, and mitigation steps. Notify affected individuals about risks and mitigation measures.", | ||
| checks: [ | ||
| { id: "LGPD-03-C1", description: "ANPD notification procedures implemented", status: "not-implemented" }, | ||
| { id: "LGPD-03-C2", description: "Individual notification for risk/damage incidents", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "LGPD-04", | ||
| name: "LGPD Data Subject Rights", | ||
| description: "Implement LGPD-specific rights including confirmation of processing and data quality.", | ||
| category: "data-subject-rights", | ||
| framework: "LGPD", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement LGPD rights: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, deletion of consented data, information about sharing, information about refusal to consent, and revocation of consent. Respond within 15 days.", | ||
| checks: [ | ||
| { id: "LGPD-04-C1", description: "All LGPD rights implemented", status: "not-implemented" }, | ||
| { id: "LGPD-04-C2", description: "Responses within 15 days", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "br-lgpd", | ||
| name: "Brazil LGPD Pack", | ||
| description: "Brazilian General Data Protection Law (LGPD) controls: Encarregado appointment, ANPD communication, legal bases documentation, LGPD rights, and ANPD breach notification.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["LGPD"], | ||
| }; | ||
| } | ||
| export function createCanadaPIPEDAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PIPEDA-01", | ||
| name: "Accountability Principle", | ||
| description: "Designate an individual accountable for compliance with PIPEDA's 10 fair information principles.", | ||
| category: "privacy-governance", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Designate a Privacy Officer accountable for PIPEDA compliance. Develop and implement a privacy management program aligned with PIPEDA's 10 fair information principles. Ensure accountability is documented and communicated throughout the organization. Conduct annual PIPEDA compliance assessments.", | ||
| checks: [ | ||
| { id: "PIPEDA-01-C1", description: "Privacy Officer designated and documented", status: "not-implemented" }, | ||
| { id: "PIPEDA-01-C2", description: "PIPEDA privacy management program implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPEDA-02", | ||
| name: "OPC Breach Notification", | ||
| description: "Notify the Office of the Privacy Commissioner (OPC) and affected individuals of breaches posing real risk of significant harm.", | ||
| category: "incident-management", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Assess breaches for real risk of significant harm (RROSH). Notify affected individuals and the OPC of breaches meeting the RROSH threshold as soon as feasible. Maintain records of all breaches for 24 months. Include breach details, risk assessment, and mitigation measures in notifications.", | ||
| checks: [ | ||
| { id: "PIPEDA-02-C1", description: "RROSH assessment process implemented", status: "not-implemented" }, | ||
| { id: "PIPEDA-02-C2", description: "OPC and individual notification for RROSH breaches", status: "not-implemented" }, | ||
| { id: "PIPEDA-02-C3", description: "Breach records maintained for 24 months", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PIPEDA-03", | ||
| name: "Cross-Border Transfer Requirements", | ||
| description: "Ensure cross-border transfers of personal information maintain PIPEDA-level protection.", | ||
| category: "cross-border-transfers", | ||
| framework: "PIPEDA", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Ensure third-party recipients in other countries provide a level of protection comparable to PIPEDA. Implement contractual safeguards. Conduct due diligence on foreign recipients. Inform individuals of cross-border transfers in privacy notices.", | ||
| checks: [ | ||
| { id: "PIPEDA-03-C1", description: "Comparable protection ensured for cross-border transfers", status: "not-implemented" }, | ||
| { id: "PIPEDA-03-C2", description: "Individuals informed of cross-border transfers", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ca-pipeda", | ||
| name: "Canada PIPEDA Pack", | ||
| description: "Canada Personal Information Protection and Electronic Documents Act (PIPEDA) controls: accountability principle, OPC breach notification (RROSH), and cross-border transfer safeguards.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["PIPEDA"], | ||
| }; | ||
| } | ||
| export function createCaliforniaCRPAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "CPRA-01", | ||
| name: "Consumer Rights", | ||
| description: "Implement California Consumer Privacy Act (CPRA) consumer rights including the right to opt-out of sale/sharing.", | ||
| category: "data-subject-rights", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement CPRA rights: know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI, and non-discrimination. Provide a 'Do Not Sell or Share My Personal Information' link. Implement a 'Limit the Use of My Sensitive Personal Information' link. Honor Global Privacy Control (GPC) signals. Respond to requests within 45 days.", | ||
| checks: [ | ||
| { id: "CPRA-01-C1", description: "All CPRA rights implemented with request mechanisms", status: "not-implemented" }, | ||
| { id: "CPRA-01-C2", description: "'Do Not Sell or Share' link provided", status: "not-implemented" }, | ||
| { id: "CPRA-01-C3", description: "GPC signals honored", status: "not-implemented" }, | ||
| { id: "CPRA-01-C4", description: "Responses within 45 days", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CPRA-02", | ||
| name: "Sensitive Personal Information Controls", | ||
| description: "Implement specific controls for sensitive personal information under CPRA.", | ||
| category: "consent-management", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Identify and classify sensitive personal information (SSN, driver's license, financial accounts, health data, precise geolocation, biometrics, email/passwords). Provide the right to limit use of sensitive PI. Implement additional security controls for sensitive PI categories. Disclose sensitive PI categories in privacy notices.", | ||
| checks: [ | ||
| { id: "CPRA-02-C1", description: "Sensitive PI classified and documented", status: "not-implemented" }, | ||
| { id: "CPRA-02-C2", description: "Limit use mechanism for sensitive PI available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "CPRA-03", | ||
| name: "Privacy Notice Requirements", | ||
| description: "Provide CPRA-compliant privacy notices at collection and in general privacy policy.", | ||
| category: "privacy-governance", | ||
| framework: "CPRA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Provide notice at collection listing: categories of PI collected, purposes, retention periods, and whether sold/shared. Update privacy policy with: PI categories, sources, business purposes, third-party categories, sale/sharing opt-out, sensitive PI categories, retention periods, and financial incentive details. Review and update annually.", | ||
| checks: [ | ||
| { id: "CPRA-03-C1", description: "Notice at collection provided", status: "not-implemented" }, | ||
| { id: "CPRA-03-C2", description: "Privacy policy includes all CPRA-required sections", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "us-cpra", | ||
| name: "California CPRA Pack", | ||
| description: "California Consumer Privacy Rights Act (CPRA) controls: consumer rights, opt-out of sale/sharing, sensitive PI controls, GPC support, and privacy notice requirements.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["CPRA"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // AFRICA | ||
| // ============================================================ | ||
| export function createSouthAfricaPOPIAPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "POPIA-01", | ||
| name: "Information Officer", | ||
| description: "Designate an Information Officer and register with the Information Regulator.", | ||
| category: "privacy-governance", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Designate an Information Officer (IO) and deputy IO. Register the IO with the Information Regulator. Ensure the IO's contact details are publicly available. The IO is responsible for: encouraging compliance, handling information requests, cooperating with the Regulator, and internal awareness training.", | ||
| checks: [ | ||
| { id: "POPIA-01-C1", description: "Information Officer designated and registered", status: "not-implemented" }, | ||
| { id: "POPIA-01-C2", description: "IO contact details publicly available", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "POPIA-02", | ||
| name: "Processing Conditions", | ||
| description: "Implement POPIA's 8 conditions for lawful processing of personal information.", | ||
| category: "consent-management", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement the 8 conditions: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Document compliance for each condition. Conduct annual POPIA compliance assessments.", | ||
| checks: [ | ||
| { id: "POPIA-02-C1", description: "All 8 processing conditions documented and implemented", status: "not-implemented" }, | ||
| { id: "POPIA-02-C2", description: "Annual compliance assessments conducted", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "POPIA-03", | ||
| name: "Information Regulator Breach Notification", | ||
| description: "Notify the Information Regulator of security compromises as soon as reasonably possible.", | ||
| category: "incident-management", | ||
| framework: "POPIA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Notify the Information Regulator of security compromises where there are reasonable grounds to believe personal information has been accessed or acquired by unauthorized persons. Notify affected data subjects. Document all notifications and the Regulator's responses.", | ||
| checks: [ | ||
| { id: "POPIA-03-C1", description: "Regulator notification procedures implemented", status: "not-implemented" }, | ||
| { id: "POPIA-03-C2", description: "Affected individuals notified", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "za-popia", | ||
| name: "South Africa POPIA Pack", | ||
| description: "South Africa Protection of Personal Information Act (POPIA) controls: Information Officer designation, 8 processing conditions, and Information Regulator breach notification.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["POPIA"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // MIDDLE EAST | ||
| // ============================================================ | ||
| export function createUAEPDPLPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PDPL-UAE-01", | ||
| name: "Privacy Impact Assessment", | ||
| description: "Conduct privacy impact assessments for processing activities that may affect individual privacy.", | ||
| category: "privacy-governance", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Conduct PIAs for new processing activities involving sensitive data, large-scale processing, or innovative technologies. Document: processing purposes, data categories, necessity assessment, risk evaluation, and mitigation measures. Submit PIAs to the UAE Data Office if required.", | ||
| checks: [ | ||
| { id: "PDPL-UAE-01-C1", description: "PIA procedures documented and implemented", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-01-C2", description: "PIAs conducted for high-risk processing", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PDPL-UAE-02", | ||
| name: "Cross-Border Transfer Requirements", | ||
| description: "Implement UAE PDPL requirements for cross-border data transfers.", | ||
| category: "cross-border-transfers", | ||
| framework: "PDPL-UAE", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Ensure cross-border transfers meet UAE PDPL requirements: adequate protection in destination country, appropriate safeguards, or specific authorization. Document transfer assessments. Monitor UAE Data Office guidance on recognized adequate jurisdictions.", | ||
| checks: [ | ||
| { id: "PDPL-UAE-02-C1", description: "Transfer adequacy assessments documented", status: "not-implemented" }, | ||
| { id: "PDPL-UAE-02-C2", description: "Appropriate safeguards implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ae-pdpl", | ||
| name: "UAE PDPL Pack", | ||
| description: "UAE Personal Data Protection Law (PDPL) controls: privacy impact assessments and cross-border transfer requirements.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend"], | ||
| controls, | ||
| frameworks: ["PDPL-UAE"], | ||
| }; | ||
| } | ||
| export function createSaudiArabiaPDPLPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "PDPL-SA-01", | ||
| name: "Data Localization", | ||
| description: "Implement Saudi Arabia PDPL data localization requirements for personal data.", | ||
| category: "cross-border-transfers", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Ensure personal data is processed and stored within Saudi Arabia unless the transfer meets PDPL requirements. Obtain National Data Management Office (NDMO) approval for cross-border transfers. Implement technical controls enforcing data residency. Document localization compliance.", | ||
| checks: [ | ||
| { id: "PDPL-SA-01-C1", description: "Data localization requirements assessed", status: "not-implemented" }, | ||
| { id: "PDPL-SA-01-C2", description: "NDMO approval for applicable transfers", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "PDPL-SA-02", | ||
| name: "Consent Management", | ||
| description: "Implement Saudi PDPL consent requirements including explicit consent for sensitive data.", | ||
| category: "consent-management", | ||
| framework: "PDPL-SA", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Obtain clear and explicit consent for processing personal data. Obtain separate explicit consent for sensitive personal data (health, genetic, biometric, racial/ethnic, religious, credit/financial). Provide withdrawal mechanisms. Document consent records in Arabic and English.", | ||
| checks: [ | ||
| { id: "PDPL-SA-02-C1", description: "Explicit consent for processing implemented", status: "not-implemented" }, | ||
| { id: "PDPL-SA-02-C2", description: "Separate consent for sensitive data", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "sa-pdpl", | ||
| name: "Saudi Arabia PDPL Pack", | ||
| description: "Saudi Arabia Personal Data Protection Law (PDPL) controls: data localization, NDMO approval for transfers, and explicit consent requirements.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend"], | ||
| controls, | ||
| frameworks: ["PDPL-SA"], | ||
| }; | ||
| } |
| import type { PolicyPack } from "@greenarmor/ges-core"; | ||
| export declare function createUKGDPRPolicyPack(): PolicyPack; | ||
| export declare function createSwissFADPPolicyPack(): PolicyPack; |
| // ============================================================ | ||
| // UK GDPR — UNITED KINGDOM GENERAL DATA PROTECTION REGULATION | ||
| // UK Data Protection Act 2018 + UK GDPR (retained EU law) | ||
| // ============================================================ | ||
| export function createUKGDPRPolicyPack() { | ||
| const controls = [ | ||
| // --- Registration & Accountability --- | ||
| { | ||
| id: "UK-GDPR-01", | ||
| name: "ICO Registration", | ||
| description: "Register with the UK Information Commissioner's Office (ICO) as a data controller or processor if required.", | ||
| category: "privacy-governance", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Register with the ICO and pay the annual data protection fee if processing personal data (unless exempt). Maintain accurate registration entries describing processing purposes. Update registration when processing activities change. The ICO registration number must be available for inspection. [Ref: DPA 2018 Part 3 Section 137; ICO Registration Guidance]", | ||
| checks: [ | ||
| { id: "UK-GDPR-01-C1", description: "ICO registration completed and current", status: "not-implemented" }, | ||
| { id: "UK-GDPR-01-C2", description: "Annual data protection fee paid", status: "not-implemented" }, | ||
| { id: "UK-GDPR-01-C3", description: "Registration entries reviewed and updated", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "UK-GDPR-02", | ||
| name: "Data Protection Officer (UK)", | ||
| description: "Designate a Data Protection Officer where required under UK GDPR and ensure ICO notification.", | ||
| category: "privacy-governance", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Designate a DPO if: a public authority (unless exempt), core activities require large-scale regular and systematic monitoring, or large-scale processing of special category data. Submit DPO contact details to the ICO. DPO must report to highest management level, operate independently, and not receive instructions on how to perform tasks. [Ref: UK GDPR Article 37; DPA 2018 Part 3 Section 69]", | ||
| checks: [ | ||
| { id: "UK-GDPR-02-C1", description: "DPO designated if required", status: "not-implemented" }, | ||
| { id: "UK-GDPR-02-C2", description: "DPO contact details submitted to ICO", status: "not-implemented" }, | ||
| { id: "UK-GDPR-02-C3", description: "DPO independence and reporting line documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "UK-GDPR-03", | ||
| name: "Records of Processing Activities (UK)", | ||
| description: "Maintain ROPA documenting all UK personal data processing activities.", | ||
| category: "data-inventory", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Maintain written records of processing activities including: controller/processor details, processing purposes, data categories, data subject categories, recipient categories, third-country transfers, retention periods, and security measures. Organizations with fewer than 250 employees are exempt unless processing is likely to risk rights, not occasional, or involves special category/criminal data. [Ref: UK GDPR Article 30]", | ||
| checks: [ | ||
| { id: "UK-GDPR-03-C1", description: "ROPA maintained with all Article 30 required fields", status: "not-implemented" }, | ||
| { id: "UK-GDPR-03-C2", description: "ROPA reviewed and updated when processing changes", status: "not-implemented" }, | ||
| { id: "UK-GDPR-03-C3", description: "Exemption assessment documented if applicable", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Special Category & Criminal Data --- | ||
| { | ||
| id: "UK-GDPR-04", | ||
| name: "Special Category Data Conditions", | ||
| description: "Identify the Article 9 condition AND a Schedule 1 DPA 2018 condition for processing special category data under UK law.", | ||
| category: "consent-management", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "For special category data (race, ethnicity, political, religious, trade union, genetic, biometric, health, sex life, sexual orientation), identify both a UK GDPR Article 9 condition AND a Schedule 1 of the DPA 2018 condition. Some Schedule 1 conditions require an 'appropriate policy document'. For criminal offence data, identify a Article 10 condition and Schedule 1 Part 2 condition. [Ref: UK GDPR Article 9-10; DPA 2018 Schedule 1]", | ||
| checks: [ | ||
| { id: "UK-GDPR-04-C1", description: "Article 9 condition identified for each special category processing", status: "not-implemented" }, | ||
| { id: "UK-GDPR-04-C2", description: "Schedule 1 DPA 2018 condition identified", status: "not-implemented" }, | ||
| { id: "UK-GDPR-04-C3", description: "Appropriate policy document in place where required", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Lawful Basis & Consent --- | ||
| { | ||
| id: "UK-GDPR-05", | ||
| name: "Lawful Basis for Processing (UK)", | ||
| description: "Document and communicate the lawful basis for each processing activity under UK GDPR Article 6.", | ||
| category: "consent-management", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Identify and document the Article 6 lawful basis for each processing activity: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Conduct Legitimate Interests Assessments (LIAs) where relying on that basis. Include the lawful basis in privacy notices. For children's data, ensure consent is given or authorized by a holder of parental responsibility (under 13 in UK). [Ref: UK GDPR Article 6; ICO Guidance on Children]", | ||
| checks: [ | ||
| { id: "UK-GDPR-05-C1", description: "Lawful basis documented per processing activity", status: "not-implemented" }, | ||
| { id: "UK-GDPR-05-C2", description: "Legitimate Interest Assessments conducted where applicable", status: "not-implemented" }, | ||
| { id: "UK-GDPR-05-C3", description: "Children's data protections (age 13 threshold) implemented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Individual Rights --- | ||
| { | ||
| id: "UK-GDPR-06", | ||
| name: "UK Data Subject Rights", | ||
| description: "Implement all UK GDPR data subject rights with ICO-compliant response procedures.", | ||
| category: "data-subject-rights", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement rights: access (Article 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), and automated decision-making (22). Respond within one month (extendable by two months for complex requests). Provide free first copy of data. Use ICO guidance for handling requests that are manifestly unfounded or excessive. [Ref: UK GDPR Articles 12-22]", | ||
| checks: [ | ||
| { id: "UK-GDPR-06-C1", description: "All 7 data subject rights implemented", status: "not-implemented" }, | ||
| { id: "UK-GDPR-06-C2", description: "Response within one month with extension procedure", status: "not-implemented" }, | ||
| { id: "UK-GDPR-06-C3", description: "Manifestly unfounded/excessive request handling documented", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Privacy by Design & DPIA --- | ||
| { | ||
| id: "UK-GDPR-07", | ||
| name: "Data Protection Impact Assessment (DPIA)", | ||
| description: "Conduct DPIAs for high-risk processing under UK GDPR and ICO guidance.", | ||
| category: "privacy-governance", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Conduct DPIAs for: large-scale special category data, systematic monitoring of public areas, systematic and extensive profiling, large-scale processing of vulnerable groups. Follow ICO DPIA template. Consult the ICO if high residual risks remain. Review DPIAs when processing changes. [Ref: UK GDPR Article 35; ICO DPIA Guidance]", | ||
| checks: [ | ||
| { id: "UK-GDPR-07-C1", description: "DPIA screening criteria established", status: "not-implemented" }, | ||
| { id: "UK-GDPR-07-C2", description: "DPIAs conducted for high-risk processing", status: "not-implemented" }, | ||
| { id: "UK-GDPR-07-C3", description: "ICO prior consultation when residual high risk", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- International Transfers --- | ||
| { | ||
| id: "UK-GDPR-08", | ||
| name: "UK International Transfer Mechanisms", | ||
| description: "Use UK-approved transfer mechanisms for international personal data transfers.", | ||
| category: "cross-border-transfers", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Transfer to adequate countries per UK adequacy regulations (EEA, Gibraltar, and others as designated). For non-adequate countries use: International Data Transfer Agreement (IDTA), UK Addendum to EU SCCs, Binding Corporate Rules (BCRs), or derogations (Article 49). Conduct Transfer Risk Assessments (TRAs) per ICO guidance. [Ref: UK GDPR Chapter V; ICO International Transfers Guidance]", | ||
| checks: [ | ||
| { id: "UK-GDPR-08-C1", description: "Transfer register maintained with mechanism per transfer", status: "not-implemented" }, | ||
| { id: "UK-GDPR-08-C2", description: "IDTA or UK Addendum executed for non-adequate transfers", status: "not-implemented" }, | ||
| { id: "UK-GDPR-08-C3", description: "Transfer Risk Assessments conducted per ICO guidance", status: "not-implemented" }, | ||
| { id: "UK-GDPR-08-C4", description: "UK adequacy regulations monitored for updates", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Security --- | ||
| { | ||
| id: "UK-GDPR-09", | ||
| name: "Security of Processing (UK)", | ||
| description: "Implement appropriate technical and organizational security measures per UK GDPR Article 32.", | ||
| category: "security-controls", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement measures appropriate to risk: pseudonymisation, encryption, confidentiality, integrity, availability, resilience, and restoration procedures. Follow ICO security guidance. Regularly test and evaluate effectiveness. Document security risk assessments. [Ref: UK GDPR Article 32; ICO Security Guidance]", | ||
| checks: [ | ||
| { id: "UK-GDPR-09-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" }, | ||
| { id: "UK-GDPR-09-C2", description: "Encryption and pseudonymisation implemented", status: "not-implemented" }, | ||
| { id: "UK-GDPR-09-C3", description: "Measures tested and evaluated regularly", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Breach Notification --- | ||
| { | ||
| id: "UK-GDPR-10", | ||
| name: "ICO Breach Notification", | ||
| description: "Notify the ICO of personal data breaches within 72 hours and notify affected individuals when high risk.", | ||
| category: "incident-management", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Notify the ICO within 72 hours of becoming aware of a personal data breach posing risk to individuals (unless unlikely to result in risk). Use the ICO's personal data breach reporting service. If high risk to individuals, notify them without undue delay. Document all breaches including those not requiring notification. [Ref: UK GDPR Article 33-34; ICO Breach Reporting Guidance]", | ||
| checks: [ | ||
| { id: "UK-GDPR-10-C1", description: "ICO 72-hour notification procedure implemented", status: "not-implemented" }, | ||
| { id: "UK-GDPR-10-C2", description: "Individual notification for high-risk breaches", status: "not-implemented" }, | ||
| { id: "UK-GDPR-10-C3", description: "Internal breach register maintained", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Processor Management --- | ||
| { | ||
| id: "UK-GDPR-11", | ||
| name: "Data Processor Contracts (UK)", | ||
| description: "Execute Article 28-compliant data processing contracts with all processors.", | ||
| category: "vendor-management", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Execute written contracts with processors covering: subject matter, duration, nature/purpose, data types, data subject obligations, processor duties (act on documented instructions, confidentiality, security, sub-processor controls, data return/deletion, audit assistance). Use ICO-approved contract templates. [Ref: UK GDPR Article 28]", | ||
| checks: [ | ||
| { id: "UK-GDPR-11-C1", description: "Article 28 contracts executed with all processors", status: "not-implemented" }, | ||
| { id: "UK-GDPR-11-C2", description: "Sub-processor flow-down terms included", status: "not-implemented" }, | ||
| { id: "UK-GDPR-11-C3", description: "Contracts reviewed for ICO compliance", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Accountability & Governance --- | ||
| { | ||
| id: "UK-GDPR-12", | ||
| name: "Accountability Principle (UK)", | ||
| description: "Demonstrate compliance with UK GDPR accountability principle through documented evidence.", | ||
| category: "privacy-governance", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Maintain evidence of compliance: policies, procedures, training records, DPIAs, audit results, ROPA, consent records, contracts, breach records, and DPO reports. Conduct annual self-assessments using the ICO accountability framework. Implement a data protection by design approach. [Ref: UK GDPR Article 5(2); ICO Accountability Framework]", | ||
| checks: [ | ||
| { id: "UK-GDPR-12-C1", description: "Accountability evidence maintained and organized", status: "not-implemented" }, | ||
| { id: "UK-GDPR-12-C2", description: "Annual ICO accountability self-assessment conducted", status: "not-implemented" }, | ||
| { id: "UK-GDPR-12-C3", description: "Data protection by design integrated into projects", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- Direct Marketing --- | ||
| { | ||
| id: "UK-GDPR-13", | ||
| name: "Direct Marketing (PECR)", | ||
| description: "Comply with Privacy and Electronic Communications Regulations (PECR) for marketing.", | ||
| category: "consent-management", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Obtain consent before sending electronic marketing (email, SMS, in-app) to individuals. Provide clear opt-out in every message. Honor opt-outs promptly. For existing customers (soft opt-in), ensure similar products/services and clear opt-out. PECR works alongside UK GDPR for marketing. [Ref: PECR; ICO Direct Marketing Guidance]", | ||
| checks: [ | ||
| { id: "UK-GDPR-13-C1", description: "PECR-compliant consent obtained for electronic marketing", status: "not-implemented" }, | ||
| { id: "UK-GDPR-13-C2", description: "Opt-out mechanism in every marketing message", status: "not-implemented" }, | ||
| { id: "UK-GDPR-13-C3", description: "Soft opt-in criteria assessed for existing customers", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| // --- UK Representative --- | ||
| { | ||
| id: "UK-GDPR-14", | ||
| name: "UK Representative", | ||
| description: "Appoint a UK representative if offering goods/services or monitoring individuals in the UK from outside the UK.", | ||
| category: "privacy-governance", | ||
| framework: "UK-GDPR", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "If based outside the UK and processing UK personal data related to offering goods/services or behavior monitoring, appoint a UK-based representative. The representative acts as a point of contact for data subjects and the ICO. Document the representative appointment and make contact details available to data subjects. [Ref: UK GDPR Article 27]", | ||
| checks: [ | ||
| { id: "UK-GDPR-14-C1", description: "UK representative appointed if applicable", status: "not-implemented" }, | ||
| { id: "UK-GDPR-14-C2", description: "Representative contact details available to data subjects", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "uk-gdpr", | ||
| name: "UK GDPR & Data Protection Act 2018 Pack", | ||
| description: "Comprehensive UK data protection controls covering UK GDPR articles and DPA 2018: ICO registration, special category data conditions (Schedule 1), PECR direct marketing, IDTA/UK Addendum transfers, and ICO 72-hour breach notification.", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"], | ||
| controls, | ||
| frameworks: ["UK-GDPR"], | ||
| }; | ||
| } | ||
| // ============================================================ | ||
| // SWITZERLAND — FADP (Federal Act on Data Protection, revFADP) | ||
| // In effect: September 1, 2023 | ||
| // ============================================================ | ||
| export function createSwissFADPPolicyPack() { | ||
| const controls = [ | ||
| { | ||
| id: "FADP-01", | ||
| name: "Data Protection Officer / Advisor", | ||
| description: "Designate a data protection advisor if processing high-risk personal data on a large scale.", | ||
| category: "privacy-governance", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Designate a data protection advisor if a data security risk assessment indicates a high risk to personality or fundamental rights, particularly for large-scale or sensitive data processing. The advisor maintains the data processing register, advises on DPIAs, and liaises with the FDPIC. [Ref: FADP Article 10]", | ||
| checks: [ | ||
| { id: "FADP-01-C1", description: "Risk assessment conducted to determine advisor requirement", status: "not-implemented" }, | ||
| { id: "FADP-01-C2", description: "Advisor designated if high-risk threshold met", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-02", | ||
| name: "Principles of Data Processing", | ||
| description: "Comply with FADP principles: lawfulness, proportionality, purpose, transparency, and accuracy.", | ||
| category: "consent-management", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Process personal data lawfully, in good faith, and proportionally. Process only for the purpose indicated at collection, which must be recognizable. Process special categories (health, biometric, genetic, racial, religious, political, trade union, sexual) only with explicit consent or narrow legal exceptions. [Ref: FADP Articles 6-7]", | ||
| checks: [ | ||
| { id: "FADP-02-C1", description: "Processing purposes documented and communicated", status: "not-implemented" }, | ||
| { id: "FADP-02-C2", description: "Explicit consent obtained for special category data", status: "not-implemented" }, | ||
| { id: "FADP-02-C3", description: "Proportionality assessment conducted", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-03", | ||
| name: "Transparency and Information Duties", | ||
| description: "Provide information to data subjects about data collection and processing.", | ||
| category: "privacy-governance", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "When collecting personal data, actively inform data subjects of: controller identity, processing purpose, data categories, recipients, retention, cross-border transfers, and data subject rights. For data obtained from third parties, inform within a reasonable timeframe. Publish privacy notices in clear language. [Ref: FADP Article 19]", | ||
| checks: [ | ||
| { id: "FADP-03-C1", description: "Privacy notices published with all FADP-required information", status: "not-implemented" }, | ||
| { id: "FADP-03-C2", description: "Third-party data subjects informed within reasonable time", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-04", | ||
| name: "Data Subject Rights", | ||
| description: "Implement FADP data subject rights including access, correction, destruction, and objection.", | ||
| category: "data-subject-rights", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Implement rights: information about processing, access to personal data, correction of inaccurate data, destruction of unlawfully processed data, objection to direct marketing/profiling, and restriction. Respond within 30 days (extendable by 60). Provide free access. Charge reasonable fees for copies. [Ref: FADP Articles 25-27]", | ||
| checks: [ | ||
| { id: "FADP-04-C1", description: "All FADP data subject rights implemented", status: "not-implemented" }, | ||
| { id: "FADP-04-C2", description: "Response within 30 days with extension procedure", status: "not-implemented" }, | ||
| { id: "FADP-04-C3", description: "Direct marketing objection respected", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-05", | ||
| name: "Data Security and Breach Notification", | ||
| description: "Implement appropriate security measures and notify the FDPIC of qualifying data breaches.", | ||
| category: "security-controls", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "critical", | ||
| implementation_guidance: "Implement appropriate technical and organizational security measures based on risk. Maintain a data processing register. Notify the FDPIC as soon as possible when a data breach is likely to result in a high risk to the personality or fundamental rights of data subjects. The FDPIC may then inform the public. [Ref: FADP Articles 7, 24]", | ||
| checks: [ | ||
| { id: "FADP-05-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" }, | ||
| { id: "FADP-05-C2", description: "Data processing register maintained", status: "not-implemented" }, | ||
| { id: "FADP-05-C3", description: "FDPIC breach notification procedure for high-risk breaches", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-06", | ||
| name: "Cross-Border Data Transfers", | ||
| description: "Ensure adequate protection for personal data transferred outside Switzerland.", | ||
| category: "cross-border-transfers", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Transfer to countries providing adequate protection (the Swiss FDPIC recognizes EU/EEA and certain other countries as adequate). For non-adequate countries, use safeguards: SCCs (Swiss-specific or EU SCCs with Swiss modifications), BCRs, or FDPIC-approved mechanisms. Conduct transfer assessments. [Ref: FADP Article 16]", | ||
| checks: [ | ||
| { id: "FADP-06-C1", description: "Adequacy assessment conducted per destination country", status: "not-implemented" }, | ||
| { id: "FADP-06-C2", description: "Swiss SCCs or equivalent safeguards for non-adequate transfers", status: "not-implemented" }, | ||
| { id: "FADP-06-C3", description: "FDPIC adequacy list monitored", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-07", | ||
| name: "DPIA for High-Risk Processing", | ||
| description: "Conduct Data Protection Impact Assessments for processing likely to result in high risks.", | ||
| category: "privacy-governance", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "medium", | ||
| implementation_guidance: "Conduct a DPIA before processing that is likely to result in high risks to personality or fundamental rights, such as: systematic monitoring, large-scale processing of sensitive data, profiling with significant effects, or innovative technologies. Document DPIA methodology, risks, and mitigation measures. [Ref: FADP Article 22-23]", | ||
| checks: [ | ||
| { id: "FADP-07-C1", description: "DPIA criteria established for high-risk processing", status: "not-implemented" }, | ||
| { id: "FADP-07-C2", description: "DPIAs documented with risk assessments", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| { | ||
| id: "FADP-08", | ||
| name: "Processor Management (FADP)", | ||
| description: "Execute written contracts with processors processing personal data on behalf of the controller.", | ||
| category: "vendor-management", | ||
| framework: "FADP", | ||
| status: "not-implemented", | ||
| severity: "high", | ||
| implementation_guidance: "Execute written contracts with processors covering: processing only on documented instructions, security obligations, confidentiality, sub-processor controls, data return/deletion, and audit assistance. Processors are jointly and severally liable with controllers for compliance. [Ref: FADP Article 9]", | ||
| checks: [ | ||
| { id: "FADP-08-C1", description: "Written contracts with all processors", status: "not-implemented" }, | ||
| { id: "FADP-08-C2", description: "Contracts include FADP Article 9 requirements", status: "not-implemented" }, | ||
| ], | ||
| }, | ||
| ]; | ||
| return { | ||
| id: "ch-fadp", | ||
| name: "Switzerland FADP Pack (revFADP 2023)", | ||
| description: "Comprehensive Swiss Federal Act on Data Protection controls: FDPIC requirements, FADP principles (Articles 6-7), transparency duties (Article 19), data subject rights (Articles 25-27), cross-border transfers (Article 16), DPIA (Articles 22-23), and breach notification (Article 24).", | ||
| version: "1.0.0", | ||
| project_types: ["saas", "generic-web-application", "api-backend"], | ||
| controls, | ||
| frameworks: ["FADP"], | ||
| }; | ||
| } |
+7
-0
@@ -17,1 +17,8 @@ import type { PolicyPack, ProjectType } from "@greenarmor/ges-core"; | ||
| export { createHIPAAPolicyPack } from "./packs/hipaa.js"; | ||
| export { createPrivacyCorePolicyPack } from "./packs/privacy-core.js"; | ||
| export { createUKGDPRPolicyPack, createSwissFADPPolicyPack } from "./packs/privacy-europe.js"; | ||
| export { createSingaporePDPAPolicyPack, createPhilippinesDPAPolicyPack, createJapanAPPIPolicyPack, createSouthKoreaPIPAPolicyPack, createChinaPIPLPolicyPack, createIndiaDPDPAPolicyPack, } from "./packs/privacy-asia.js"; | ||
| export { createBrazilLGPDPolicyPack, createCanadaPIPEDAPolicyPack, createCaliforniaCRPAPolicyPack } from "./packs/privacy-americas.js"; | ||
| export { createSouthAfricaPOPIAPolicyPack, createUAEPDPLPolicyPack, createSaudiArabiaPDPLPolicyPack } from "./packs/privacy-africa-me.js"; | ||
| export { PRIVACY_COUNTRIES, getCountryByCode, getCountryPackId, getCountriesByRegion } from "./packs/countries.js"; | ||
| export type { CountryPrivacyPack } from "./packs/countries.js"; |
+51
-0
@@ -12,2 +12,7 @@ import { createGDPRPolicyPack } from "./packs/gdpr.js"; | ||
| import { createHIPAAPolicyPack } from "./packs/hipaa.js"; | ||
| import { createPrivacyCorePolicyPack } from "./packs/privacy-core.js"; | ||
| import { createUKGDPRPolicyPack, createSwissFADPPolicyPack } from "./packs/privacy-europe.js"; | ||
| import { createSingaporePDPAPolicyPack, createPhilippinesDPAPolicyPack, createJapanAPPIPolicyPack, createSouthKoreaPIPAPolicyPack, createChinaPIPLPolicyPack, createIndiaDPDPAPolicyPack, } from "./packs/privacy-asia.js"; | ||
| import { createBrazilLGPDPolicyPack, createCanadaPIPEDAPolicyPack, createCaliforniaCRPAPolicyPack } from "./packs/privacy-americas.js"; | ||
| import { createSouthAfricaPOPIAPolicyPack, createUAEPDPLPolicyPack, createSaudiArabiaPDPLPolicyPack } from "./packs/privacy-africa-me.js"; | ||
| const ALL_PACKS = [ | ||
@@ -25,2 +30,22 @@ createGDPRPolicyPack, | ||
| createHIPAAPolicyPack, | ||
| // Global Privacy Framework | ||
| createPrivacyCorePolicyPack, | ||
| // Europe | ||
| createUKGDPRPolicyPack, | ||
| createSwissFADPPolicyPack, | ||
| // Asia-Pacific | ||
| createSingaporePDPAPolicyPack, | ||
| createPhilippinesDPAPolicyPack, | ||
| createJapanAPPIPolicyPack, | ||
| createSouthKoreaPIPAPolicyPack, | ||
| createChinaPIPLPolicyPack, | ||
| createIndiaDPDPAPolicyPack, | ||
| // Americas | ||
| createBrazilLGPDPolicyPack, | ||
| createCanadaPIPEDAPolicyPack, | ||
| createCaliforniaCRPAPolicyPack, | ||
| // Africa + Middle East | ||
| createSouthAfricaPOPIAPolicyPack, | ||
| createUAEPDPLPolicyPack, | ||
| createSaudiArabiaPDPLPolicyPack, | ||
| ]; | ||
@@ -39,2 +64,22 @@ const PACK_MAP = { | ||
| hipaa: createHIPAAPolicyPack, | ||
| // Global Privacy Framework | ||
| "privacy-core": createPrivacyCorePolicyPack, | ||
| // Europe | ||
| "uk-gdpr": createUKGDPRPolicyPack, | ||
| "ch-fadp": createSwissFADPPolicyPack, | ||
| // Asia-Pacific | ||
| "sg-pdpa": createSingaporePDPAPolicyPack, | ||
| "ph-dpa": createPhilippinesDPAPolicyPack, | ||
| "jp-appi": createJapanAPPIPolicyPack, | ||
| "kr-pipa": createSouthKoreaPIPAPolicyPack, | ||
| "cn-pipl": createChinaPIPLPolicyPack, | ||
| "in-dpdpa": createIndiaDPDPAPolicyPack, | ||
| // Americas | ||
| "br-lgpd": createBrazilLGPDPolicyPack, | ||
| "ca-pipeda": createCanadaPIPEDAPolicyPack, | ||
| "us-cpra": createCaliforniaCRPAPolicyPack, | ||
| // Africa + Middle East | ||
| "za-popia": createSouthAfricaPOPIAPolicyPack, | ||
| "ae-pdpl": createUAEPDPLPolicyPack, | ||
| "sa-pdpl": createSaudiArabiaPDPLPolicyPack, | ||
| }; | ||
@@ -65,1 +110,7 @@ export function getAllPacks() { | ||
| export { createHIPAAPolicyPack } from "./packs/hipaa.js"; | ||
| export { createPrivacyCorePolicyPack } from "./packs/privacy-core.js"; | ||
| export { createUKGDPRPolicyPack, createSwissFADPPolicyPack } from "./packs/privacy-europe.js"; | ||
| export { createSingaporePDPAPolicyPack, createPhilippinesDPAPolicyPack, createJapanAPPIPolicyPack, createSouthKoreaPIPAPolicyPack, createChinaPIPLPolicyPack, createIndiaDPDPAPolicyPack, } from "./packs/privacy-asia.js"; | ||
| export { createBrazilLGPDPolicyPack, createCanadaPIPEDAPolicyPack, createCaliforniaCRPAPolicyPack } from "./packs/privacy-americas.js"; | ||
| export { createSouthAfricaPOPIAPolicyPack, createUAEPDPLPolicyPack, createSaudiArabiaPDPLPolicyPack } from "./packs/privacy-africa-me.js"; | ||
| export { PRIVACY_COUNTRIES, getCountryByCode, getCountryPackId, getCountriesByRegion } from "./packs/countries.js"; |
+3
-3
| { | ||
| "dependencies": { | ||
| "@greenarmor/ges-compliance-engine": "1.2.8", | ||
| "@greenarmor/ges-core": "1.2.8" | ||
| "@greenarmor/ges-compliance-engine": "1.3.0", | ||
| "@greenarmor/ges-core": "1.3.0" | ||
| }, | ||
@@ -28,3 +28,3 @@ "description": "GESF Policy Engine - Policy packs management and enforcement", | ||
| "types": "./dist/index.d.ts", | ||
| "version": "1.2.8", | ||
| "version": "1.3.0", | ||
| "scripts": { | ||
@@ -31,0 +31,0 @@ "build": "tsc", |
483680
132.09%41
51.85%7095
141.24%+ Added
+ Added
- Removed
- Removed
Updated